Whenever a new Snowden document is released, a new wave of discussions in the press ramps up. Discussions about governments spying on each other and on citizens.
However, there is another interesting aspect, which we need to look at in my opinion. Edward Snowden, a contractor for the NSA, left the buildings with a lot of sensitive files in his backpack. And this is â€“ obviously â€“ not the first case like this, which hit the press (nobody else managed to stay in the news for such a long period of time): We have the cases of insiders selling stolen bank data to tax authorities (and even worse, authorities buying stolen goods), we had a case in Switzerland, where an IT administrator of the National Intelligence left the building as well with a hard disk full of sensitive data.
At the end of the day, it is all about the insider threat â€“ in this case with criminal intentions.
So, we need to put measures in place to defend against criminal forces internally, trying to steal information and we all know that this is a tough job. In my opinion it gets even worse: Security can only be effective if we allow the good people in our companies (probably around 99.8%) to do their job â€“ and to do their job in an efficient way. If we do not have that focus, users will do everything to get their job done, regardless of any security policy. At the end of the day, we need to trust our employees and still find the 0.2% of people with bad intensions.
What do we need to do in such an environment? Hard to say, but a few things are obvious:
- Security Monitoring: If we go down the road to try to trust people, we should nevertheless not be blue-eyed. There will be attacks and there will be fraud. This is part of human nature. If we base our security on trust, we need to invest in monitoring to catch the bad guys. As I stated in an earlier blog (Indicators of Compromise â€“ think the business way) monitoring has to follow the business and the business rules. The only way in my opinion to be effective and efficient in monitoring.
- Data Leakage Prevention: It was and still is amazing to me how business works. PRISM went public and a lot of vendors started to push DLP products. They all sound great but would they really have prevented an internal system administrator from stealing your information? I doubt it.
- Background Checks: It is fairly obvious that you do not want to have a convicted criminal taking care of your crown jewels. But still a lot of companies do not dare to do background checks. And then the ones who do them, sometimes cover the whole company. I guess that this should be done risk-based. If somebody enters a high-risk job (e.g. a Domain Admin), do the background check, otherwise, do not do it.
What else can you do? Well, all the basic stuff you hopefully do anyway but the insider threat stays until we fundamentally change the architectures and separate the access to information (e.g. a file with ACL) from the access to the key. I will talk about this and some additional ideas in a later post