For IT professionals, the drama around Edward Snowden, the former National Security Agency contractor who exposed untold numbers of federal documents about government spying operations, represents some of the most interesting and important technology security news of the past decade. An especially fascinating aspect is that it affects IT security in two completely different ways.
No serious practitioner of information security can look at what happened at the NSA without asking two very different sets of questions:
What is the insider threat within my organization, and are we doing all we can to minimize that threat?
Is our sensitive data being captured by outsiders, and are we doing all we can to make such monitoring as difficult as possible to achieve?
Theoretically, none of these lines of thought should be new when it comes to IT security. These questions focus on topics that are day-to-day concerns for any good IT security manager.
The particular circumstances of Snowden’s dramatic revelations and the accompanying attention from the mainstream media bring a new urgency to this work. For many IT managers, the details of securing enterprise data have been off their radar, with most believing that their operating system and security staffers are trustworthy and are making the best security choices available. As the revelations of the NSA’s once-secret documents have shown, this is not a rock-solid assumption to make.
In addition, because of the wide-ranging coverage of Snowden’s activities, IT managers now have a more concrete context for discussing these issues with organizational leaders and other IT staff members.
For example, trying to bring up the question of Transport Layer Security (TLS) configuration usually elicits yawns of disinterest from system managers and application owners alike. But when one can add the clause “… and if you don’t change this, then the NSA or anyone else can eavesdrop on our web traffic, as Snowden revealed” to a sentence, it makes a highly abstract security concept real and creates a new incentive for action.
IT security has long-focused on access controls, especially at the Internet perimeter, where everything not expressly permitted is forbidden. In most enterprises, internal access controls are also in place, controlling both network access and data and application access, and thus minimizing the ability of any one party to view information not needed for his or her job. The glaring hole is usually the IT staff, who might have access to networks, systems and applications far beyond the limits appropriate for their job descriptions.
This is not the only concern that should be a wake-up call to all CEOs and CIOs regarding IT staff access. IT staff have the ability to exert disproportionate control over IT resources, as shown by Terry Childs, the San Francisco network administrator who, in 2008, was arrested and convicted on felony network tampering charges stemming from his refusal to divulge the password to the city’s Fibre WAN system to his supervisors. With privileged access to information, members of the IT staff are also ideally situated to perpetrate fraud, a temptation that becomes more difficult to resist during times of economic uncertainty.
The best way to deal with insider threats is to stop treating IT staff as if they are different from other organizational IT users. The long-term attitude within tech shops has always been that enhanced access makes their teams’ job simpler and easier, and provides faster resolution of problems — especially critical ones. All of this is true, but also beside the point.
Enterprise CIOs who wish to maintain the status quo should be required to reaffirm their clear decision to accept the risk offered by unfettered network, systems and database access, and to explain and justify that decision to the CEO of the organization.
No CIO wants to stand up and proclaim, “I cannot trust my staff,” just before changing all access controls. In fact, IT staffers will always have more access than a skeptical auditor would prefer. But IT teams should also be willing to put in place sufficient controls and logging such that that no untrustworthy action by any member of the organization will go undetected.
Although the biggest change required to minimize insider threats is a change in attitude, there are also many technologies that can be brought to bear on the problem. A host of products can help both with imposing controls and providing necessary auditing and logging. The products tend to fall into four major categories: identity and access management, data loss prevention, digital rights management and encryption.
Want to learn more? Become an insider and access CDW's Next-Generation Security Reference Guide.