June 5th is the anniversary of the date that Edward Snowden’s initial disclosures became public. The disclosures have been on-going and painful, but there are some things that we should all have learned, regardless of how you feel about the topic.
Rein in your privileged users. Realize that Snowden was able to access private information because of what he was (a system administrator/privileged user), not who he was. Snowden didn’t have to do anything extravagant – like bypassing firewalls or hacking into private databases; As a result of access policies for data at his employer, he was given ‘unfettered access’ to systems and the data available to them. There is no longer an excuse for this to happen with sensitive data. Solutions exist that allow you to restrict access to sensitive information in ways that allow privileged users to perform their work, but not access protected information.
Find one that is a good fit for your organization, identify where your sensitive data resides, and use it.
Realize that your data is the target, not your network. Yes – attackers do penetrate firewalls and exploit application security holes, but they do so to get to high value data, just as an inside attacker would. What’s more, insiders are already on your network, and an attack that compromises insider or privileged user credentials is going to sail right past your network and perimeter defenses. Insiders like Snowden won’t even be slowed down.
Monitor your data access patterns. If you want to know if your data is safe, you have to watch insiders with legitimate access as well as look for unauthorized access attempts. If the accounts Snowden used to access sensitive information had been monitored (even though he frequently borrowed other’s credentials), changes in the amount and type of data access would have raised a flag about those accounts and led to an investigation.
Encryption is sexy again … and for good reason. Organizations are learning that if they don’t do encryption right, people are still able to get around it. Really, it becomes an access control and key management issue: determining how much access to give each employee to enable them to do their job while protecting corporate data by locking that data down with encryption from unauthorized access.
Compliance – a good starting point. We’re seeing an industry shift towards implementing risk and security practices, rather than simply compliance. The focus changes to reducing risk, with compliance as one component of that.
This anniversary is a good time for all of us to think about where our priorities lie in light of this last year’s long list of record breaking data breaches, and disclosures. Defend your data. Compliance is not enough.