A few days ago, a monumental data breach was announced, caused by the negligence of employees in the Swedish government.
When part of the morning ritual is reading about the data breaches that occurred in the last 24 hours, maybe we have a serious problem. The Swedish data breach, as explained on HackerNews.com, compromised top level classified data stored by the Swedish government.
It mentions, “The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.”
The data breach occurred because the data, unencrypted, was stored on a cloud server by a contracting company.
Does this sound familiar? Just a few short years ago, the US Office of Personnel Management (OPM) had a similar data breach. They stored the employment applications and security clearance applications for all US citizens that have applied, since electronic storage become available, unencrypted on file servers that were not properly hardened. This included sensitive information, like fingerprints and interviews with candidates, family, coworkers and friends.
Most data threats come from employee negligence, intentional or unintentional. This is the ‘insider threat’ that has companies and agencies around the world wondering what they can do to address this threat.
The goal is to reduce the insider threat to a manageable, acceptable risk. The key pillars to reducing the frequency and severity of data breaches, each one requiring a separate article to discuss, are:
- Know where your sensitive data resides. If the Swedish government had understood the data that resided on the server that was breached, they could have probably applied controls to protect the data appropriate to the data type. Being proactive with the location and controls applied to sensitive data is essential to preventing a data breach.
- Know who has access to what. This includes employees, contractors, partners and customers, depending on the type of enterprise. When the access includes sensitive data, this requires the access levels to be tracked at the fine-grained level. It is not sufficient to understand that the user has an account and the general profile assigned to that account. This low level of detail should be trackable by identity for it to be useful in reducing the insider threat.
- Know how the access is being used. Users will always leverage access to resources as far as their knowledge and comfort level will allow. Most users want to understand what they are allowed to do. A very small number may even have nefarious intentions. Understanding the fine-grained details of what a user can do, rolled up to the identity provides a clear picture of the impact that a user can have on the enterprise and the risk that creates.
- Know where risk has been mitigated, how it was mitigated and keep a closer watch on these mitigated exceptions. When user access has been identified as administrative, privileged or high risk to the enterprise, then mitigation should be applied to justify the access, whether permanent or temporary. The mitigation should require a detailed explanation from the approving business manager or application owner. This mitigation provides a historical trail to understand how the access was granted, why the access was granted and who granted the access.
- Hold business accountable for access, certification and mitigation decisions. Business managers and application owners need to have accountability for the access, certification and mitigation decisions they make. This will make the decisions more meaningful and will discourage business from ‘rubber stamping’ access . The determination for what ‘accountability’ is should be determined by the enterprise, but this effort must begin by tracking and reviewing the decisions and their impact on the enterprise.
- Run continuous controls with ‘real time’ alerts. When the above suggestions are combined, it creates a dataset that facilitates continuous controls. Because you know what users have access to, what it impacts, who approved the access and how the access is being used, it allows for intelligent rules. These rules can be reactive to access usage patterns, can include violated SODs, risk levels and compliance to standards. The rules react by sending email alerts, generating micro certification campaigns or removing access in near ‘real time’.
I hope that this blog entry can provide ideas and direction for enterprises to avoid data breaches through minimizing insider threats.