The recent revelations that Edward Snowden stole a coworkers password to gain access to sensitive NSA information should be a wakeup call to business and technology leaders. Using outdated ways of controlling information access may be hurting your business.
The practice of using IDs and passwords to control access to information has been around for a long time. Militaries as far back as the Romans used passwords to get past sentries. Passwords and counter passwords were fairly common as a way to make it more difficult to fool a sentry or get sensitive information.
My favorite use of this is in spy movies or television shows, like Get Smart, where they had a series of phrases and counter phrases to authenticate someone. I love the one in the James Bond movie GoldenEye where James is trying to get a CIA agent to give him the countersign. The CIA agent says after being threatened, “All right, in London April is a spring month, whereas in St. Petersburg we’re freezing our butts off. Is that close enough for government work?” Bond says “No, show me the tattoo.“
The problem with IDs and passwords is they’re easy to forget and prone to hacking or guessing. How many times have you read a story about people using 123456 or “password” as their password? How about writing a password on a sticky note and put it on a computer monitor?
A recent study by The Ponemon Institue shows that more organizations are looking to encrypt sensitive information as the best way to protect themselves. Most business information is either in databases or documents, so you need to start by assessing what is sensitive and decide how to encrypt it. You should think about data encryption in three ways: protecting data at rest, in motion and in use.
Protecting data at rest means you should encrypt documents and data on a server, desktop, laptop or mobile device. If the device is lost or stolen, the data is protected. If someone inside your organization steals a device, this can help stop a data breach.
Protecting data in motion means using SSL or another transport layer encryption algorithm to protect the information as it moves from user to user and system and system. Anyone banking or making a purchase online should be familiar with the HTTPS in your browser address line. It means that your device and the server are encrypting the transmission.
Protecting data in use is the most important way to protect your business, but is also the least deployed. If you encrypt a file in a file system, as soon as you open it and copy it elsewhere, the encryption is no longer valid. If you encrypt a session between you and a server, once the file is on your laptop or mobile device, the owner of the document has no control of it.
You can control access to files while they are in a repository, like Microsoft SharePoint or IBM FileNet, but as soon as someone downloads them, that user can send the file anywhere. There is nothing preventing that. If you really want to control access, you need to implement a security policy that lets you control who can access the file and what they can do with it, regardless of where it is.
If a trusted insider goes rogue and decides to send sensitive company information to your competitors, the press or another unauthorized person, you can limit access through a security policy. You can shut off access to the files immediately. That would have stopped Edward Snowden from using the files he stole.
Encryption and a persistent security policy are the best way to stop insider threats. Take action before you become the next data breach headline.