The Snowden Files: A question of access

The flight of Edward Snowden with laptops of classified information on U.S. spying programs has people wondering the obvious: How did he do this?

Let's talk about access.

Snowden's job title was “infrastructure analyst” at Booz Allen Hamilton. And as part of this position, he was given top secret security clearance at the United States' National Security Agency. This enabled him to poke around almost anywhere – and he certainly did.

Following Snowden's flight to China and Russia, NSA has been trying to find out exactly what data he took with him. As this investigation nears its completion, we are being told from various sources that he “did not get the crown jewels” and that he used “forged digital certificates” to gain access to secret information and hide his tracks.

These statements are worse than the proverbial locking the barn door after the horse has been stolen. They're like saying the stolen horse was already lame and about to go to the glue factory. It's time for the NSA – or any organization concerned about data security – to repeat the Golden Rule of Timely Data Protection daily before bedtime: “If an organization asks what an employee has access to or where critical assets exist when an employee is walking out the door, it is too late.”

This statement isn't mine. I pulled it from a study of 80 insider cases by the CERT® Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute. A report which, somewhat paradoxically, was sponsored by the Cyber Security Division, Homeland Security Advanced Research Projects Agency, Science and Technology Directorate of the Department of Homeland Security. Go ahead, say that in one breath. By fusing the insights from this report with the known details of the Edward Snowden case, there are some good learning points on access rights and data security.

1. Organizing access rights does matter.
The CERT report says it clearly: "In the majority of studied cases, the insider misused some form of authorized access. This is often inadvertently aided by poor record-keeping systems within the organization." I would just add that poor record-keeping can result from either under OR over-organization. Both have their relative risks.

In the “over-organization” category, we have NSA and the US government. There are reportedly 4 million Americans with “top secret” clearance. So many in fact, it has denigrated the classification and even made it impossible at times to find out who is doing what in the security arena. (For a prescient perspective on this, read this Washington Post report on the intelligence sector from 2010.) In this case, the organization is so complex, it fails to effectively function – and that includes the critical task of protecting data.

But most companies really fall in the “under-organization” category. This is the place for companies that do not have a system of systematically restricting or organizing employee access across their network. It's where we find companies which haven't tagged or identified the data which only specific departments should access. And, it includes the companies that forget to cut back employees' access rights after they have transferred to different departments and changed areas of responsibility.

While a data breach at the NSA certainly gets our attention – to say nothing about the legality of their own PRISM data collection efforts – it is really an exceptional case. Yes, one could say that over-organization can result in as many problems as under-organization. But for most companies, under-organization is a problem that strikes much closer to home. It may not seem very attractive, but basic, timely record-keeping of employee access rights is an essential part of data security.

2. Think low-tech responsibility.
CERT found that the vast majority of insider theft cases used low-tech methods and did not involve those with system administrator rights. And, the rare problem of a misbehaving system administrator usually just involved the misuse of existing access rights. As they point out, “these privileges were often necessary for the insiders to perform their legitimate job duties, so organizations must ensure that technical insiders are using their privileges appropriately.”

These ensuring steps seem to have been lacking in the Snowden case. And while forged digital certificates may have enabled Snowden to bypass internal NSA controls – we don't know that. We do known that Edward used a thumb drive to take data outside of his work network – a technology that was considered socially odd in the NSA environment.

Peer pressure is not an adequate data security plan. And, who would ever consider a thumbdrive to be high tech? I certainly wouldn't as my children use them regularly for elementary school projects. And regardless of any hacker tricks Snowden used to go through the network, he still had to use these very elementary devices to take the data out with him. So when your data leaks, don't blame the loss on smoke, mirrors, and other hacker tricks. Keep tabs on the basic data storage devices.

How accessible are you (and your data)?
An Edward Snowden-type data breach is an exceptional event. But, it is not inevitable. There are specific steps companies are able to take with a DLP solution such as Safetica which will dramatically cut the chances of a catastrophic data loss.

1. Get a real security policy.  With the Data Leak Protection module in Safetica, companies are able to establish their own security policies to oversee how data is accessed, worked with, and saved. Restrictions can be made from the document perspective or by the department or individual.

1. Work on your device management skills. Security policies with Safetica can be easily fine-tuned to restrict what files and data categories can be removed from the company network – either by memory stick, burned to a DVD, or emailed.

Of course, being smaller than the US government should also make it easier to keep tabs on your data.