From Wikileaks to Whistleblowers, for example todays’ NSA PRISM story, we keep seeing new ways that private or sensitive data can be breached.
In this instance, an I.T. contractor working for Booz Allen, Edward Snowden, released details of a NSA domestic surveillance program. How did he get access to this [probably classified] information, you ask?
Said Snowden: “When you’re in positions of privileged access like a systems administrator … you’re exposed to a lot more information in a larger scale than the average employee … Anybody in positions of access with the technical capabilities that I had could suck out secrets and pass them on the open market to Russia … I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world … If I had just wanted to harm the U.S. … you could shut down the surveillance system in an afternoon.”
Is that shocking to you? It should be. How does a low level IT admin get access to virtually everything – internal confidential documents, secret data…? The mere act of managing these systems allows administrative access to “privileged” accounts.
In virtualized or cloud environments, this situation is exacerbated. But, companies like HyTrust provide the security and controls necessary to address this issue. Clearly, solutions are available to address the problem . . . so why weren’t they being used?
Snowden indicated that he revealed what he knew about the NSA because he felt the public had a right to know about wrongs being committed. A modern day Robin Hood, he may have done what he did for the common good. But whether someone breaches sensitive information for good or evil (Sheriff of Nottingham, Benedict Arnold), the same breach can have devastating consequences for businesses.
This is something every business can learn from, said Eric Chiu, president of HyTrust. Wired Magazine recently published this article on the topic- Brand Damage Through Information Access, written by Chiu.
“Without implementing adequate role-based access controls based on least-privileged access, organizations are granting systems administrators god-like access to every piece of data that runs on every system,” Chiu advises.
In a recent Dark Reading article, Scott Hazdra, principal security consultant for Neohapsis states: “Authorized users are authorized users,” meaning that if someone has authorized access to data, then it may be near impossible to know if that person has malicious intent when accessing it. He advises: “You need to set aside a little time to see who has access to what and actually identify specific access controls.”
Lingering questions remain in the PRISM issue: Is Snowden a traitor or a hero? What other information might he be able to leak? Will he receive asylum? What do you think?