Reflecting on our celebration of independence earlier this month gives us a chance to think about what is important to us as Americans - and the associated rights, privileges and responsibilities. Regardless of our beliefs, we can all agree that certain things are personal, sensitive and private. This may include ideas, concepts and inventions. It should also include the data that sits behind them. Why? Because this data fuels our businesses, our personal lives and our governments. This data has great value, much like currency does in our banking system. The question is: who exactly should have access to this new currency?
Recent events at the National Security Agency (NSA) have brought a couple of these points of access and privileges to light. Does a systems administrator have the right to extract data from the organization he or she supports? Certainly there are many opinions on whether the data in question should or should not have been exposed. I’ve seen the terms patriot and traitor applied with equal zeal from concerned citizens.
In my opinion, praising or demonizing Edward Snowden misses the central issue. Instead, the issue we should be discussing is one of access rights and distribution. In this case, that data affects our national security operations. Data only has value when accessible, so it should only be consumable by those who truly have a “need to know.”
This is important for two reasons:
1. Insider threats: The potential of damage from insider threats, such as Edward Snowden wreaked at the NSA, is not only real, but widespread. It exists across borders (both geographic and otherwise) and in both traditional and cloud environments.
Systems administrators and other privileged users have had unrestricted access to far too many systems and the sensitive, valuable data they house. Individuals in IT roles simply do not need that level of data access to do their jobs – the right level of controls have simply not been put in place.
2. External threats: The external threat is just as common and is probably better known as an Advanced Persistent Threat (APT). APTs are typically calculated and involve advanced techniques of entry that develop over weeks, months or years. Such threats ultimately gain access to these privileged rights, and extract the critical data of the organization.
It’s clear traditional security at the perimeter and application layer aren’t stopping breaches of either type. When previous solutions aren’t working, it’s time to find a new way to solve the problem.
The answer lies in the where the protection occurs. Most homes have door locks and home security systems. However, if residents are lucky enough to have a large sum of money, jewelry or other valuables, they would likely secure those items in a safe, even if they had door locks and a perimeter security system.
Our IT security is no different. Security can no longer stop at the front door. Instead, we need to assume a break-in will occur. When it does, the best way to thwart would-be attackers is to lock down sensitive data via strong security measures and policies that determine access parameters. By simply reducing targets through policy-based access and removing data authority from privileged users who don’t need it, we can keep our IT valuables safe — and, as a side benefit, keep people like Edward Snowden from having their 15 minutes of fame.