At a time when external hacks are grabbing headlines, frequently unreported internal security breaches involving low-level administrators accessing high-level executive email and other systems are driving efforts to limit access to only the most highly trusted personnel. Although the internal access problem is well known, strategies for resolving it are being formulated by a surprisingly small number of companies, which are largely seeking out encryption technology from a handful of IT vendors. And while those products are helpful, they do not reveal how many systems administrators, database administrators, storage administrators and upper-echelon "super users" are accessing sensitive executive information.
Asked how many employees typically have access to sensitive data, such as executive email or personal customer information, veteran data storage professional Warren Avery facetiously replies, "How many system administrators do you have in the company?
"I'm a firm believer that all these companies are spending their money to keep the foxes out of the henhouse, but a lot of times, the foxes are already there," says Avery, president of Promethean Data Solutions, a Phoenix-based firm that compiles articles for its IT Weekly newsletter.
Despite the insider security threat, Jon Oltsik, an analyst at the US Enterprise Strategy Group, says only "a very small percentage" of companies rely on anything in addition to internal access control lists when it comes to limiting entry to not only high-level email, but network-attached storage (NAS) and fibre channel networks. He further maintains that in a company of 1,500 employees, there might typically be five to 10 administrators with executive-level access to information.
Passing on encryption
Encrypting internal data on disk systems is viewed as one viable way of protecting sensitive data, but both Avery and Oltsik say very few companies use this offering.
According to Ralf Saykiewicz, managing partner at XaHertz Consulting in Orlando, only very large companies, such as Target, Wal-Mart Stores., Accenture and IBM Global Services practice this strategy. Saykiewicz says in a multinational company of 15,000 employees, 20 to 30 people at headquarters alone would have high-level data access.
Hanging a price tag on the development of a secure internal IT infrastructure is an inexact science at best, but price tags would likely range from US$100,000 to $1 million, according to analysts. "I'd probably say you're looking at a million bucks or so," Avery says, pointing to the costs of hardware, software and salaries. Adds Saykiewicz, "I would give you a very ballpark figure of between US$100,000 and a quarter million dollars. You need to put in the consulting time, and you need to put in the software."
In large part, the justification for comprehensive security systems is attributable to the largely unknown number of internal security breaches that are increasingly plaguing companies. Documenting these abuses is difficult because so many of them are never reported because of concerns over the negative public relations fallout.
For the first time, the CSI/FBI Computer Crime and Security Survey in 2006 asked 536 respondents to estimate attacks coming from inside an organisation versus those from outside. More than one-third (37 percent) of respondents attributed more than 20 percent of their company's losses to insiders. Another 29 percent attribute a percentage of losses less than 20 percent to actions of insiders. Only 7 percent of respondents thought that insiders account for more than 80 percent of their organisation’s losses. Lastly, 32 percent said that insider threats account for none of their cyber losses.
In summary, the report states "even though most respondents do not see insiders as accounting for most of their organisation's cyber losses, a significant number of respondents believe that insiders still account for a substantial portion of losses."
New Century Mortgage: Risk-averse
Marc Loewenthal, vice president of corporate affairs and chief privacy officer at New Century Mortgage in Irvine, Calif., describes a very tight internal access scenario at his firm, which has 7,400 employees and originated $56.1 billion in mortgage loans in 2005.
"In terms of executive-level email, there is an extremely limited group of people that would have access to it and monitor it, and that's pretty tightly controlled by the general counsel," Loewenthal says. "There would be no reason, frankly, for us to give anybody access to it unless it was a litigation matter, and those are tightly controlled within the legal department."
Loewenthal says that even as chief privacy officer, he has to be given special administrative rights to look at anybody's email, and that he has to go through a process overseen by the firm's chief technical people in order to be approved. This process enables those personnel to know at any given point in time who has access to not only email, but also NAS and Fibre Channel SAN networks.
Loewenthal's best practices for securing data internally starts with the development of a management information classification system that designates data in terms of its importance and need for confidentiality. The next step is deciding whether to encrypt confidential, sensitive data and then segment it by placing it in data repositories or on servers that can be walled off from the rest of the company.
This approach to data classification needs to coincide with policies and procedures that safeguard the information, e.g., what kinds of firewalls to deploy, how to test the security system, how to update it, how to limit the effects of any breaches and how to notify customers affected by those breaches.
"You really have to make the effort to get together and meet and set up the proper committees to make sure the stuff goes through proper processes," Loewenthal says. "You have to have the right audit checks and monitoring checks in place. It takes time, and it takes some investment in infrastructure to do it right."
A small cadre of vendors is offering appliance/server-based encryption and authentication products targeted for companies seeking to enhance their internal protection against unauthorised data access to email and other networks.
Among them is NeoScale, which offers its CryptoStor line of appliance products for Fibre Channel, tape, SAN/VPN and key management environments. CryptoStor devices are designed to be deployed on a storage network as a drop-in application between the server and storage device to secure data at rest. CryptoStor's key management capabilities allow data to be recovered when and where it is needed such as at a disaster recovery site or the location of a business partner.
According to Dore Rosenblum, NeoScale's vice president of marketing, traditional server-based encryption methodologies incurred significant overhead, slowed down the backup and generally detracted from operational environments. Rosenblum claims that by dropping an appliance into the network, overhead issues are eliminated because the appliance is able to support encryption at line rates. In addition, he says because CryptoStor provides a turnkey application, it also eliminates traditional key management headaches.
"If you look at a server-based solution," Rosenblum says, "the keys are just stored there on the server and open for anyone who knows how to access them."
Recently acquired by EMC, RSA builds its best practice environment for internal access around several key products, including RSA Authentication Manager, RSA SecurID, RSA Access Manager and RSA BSAFE.
RSA Authentication Manager software is the management component of the RSA SecurID product, which initially verifies authentication requests and centrally administers user authentication policies for access to enterprise networks. RSA Authentication Manager provides two-factor user authentication that protects access to VPNs, wireless networks, web applications, business applications and operating environments. The two factors include something you know (a password or PIN) and something you have (an authenticator).
In the next step, RSA Access Manager enables users to validate not only who somebody is but what that person is allowed to do. This is accomplished through a mechanism known as role-based control, which determines if a person is able to see documents, print them, forward email attachments or save data.
According to Dennis Hoffman, RSA's vice president of enterprise solutions, "the last step is securing the data itself, which we do through encryption key management and digital rights management technologies. So the encryption products at RSA go under the BSAFE brand."
RSA's encryption products are available in both server- and appliance-based versions. Hoffman says while the server-based versions could be subject to injurious access by someone with super-user status, the appliance version is hardened and closed, which prevents unauthorised access.
While the number of internal security breaches involving lower-level data administrators accessing executive-level email and network information is difficult to document accurately, experts agree that the severity of these occurrences generally makes them more harmful than external attacks.
One of the biggest obstacles to eliminating unauthorised access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.
Currently, only the largest companies are aggressively pursuing technology that will enable them to tighten up their internal security, while many other firms are simply hoping that they will be able to get by without significant changes, which is a high-risk strategy, given the many possible negative outcomes.
"Realistically," says Loewenthal, "you're not going to be able to stay in business very long if the information leaks out of your company like a sieve. You really do have to make sure you are protecting and placing safeguards around it."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.