Snowden and Panama teach us how lack of control with access rights is a threat to IT security

What do the Snowden files and Panama Papers have to do with identity management and access governance? Everything, actually.

1. Christian Stendevad_Executive VP_Omada_T2015

By Christian Stendevad, Executive VP, Omada

Edward Snowden – the ‘All Access’ subcontractor

The Snowden leak is arguably the most spectacular breach ever, because of

  • the drama ensuing from the publication of the leaked data
  • the victim – the National Security Agency
  • the volume of leaked data

The leak was made possible, not because of intricate hacks and spectacular exploits, but because Edward Snowden, who worked for a subcontractor to the NSA, accumulated access rights over a long period of time to a wide range of systems and data within the NSA environment.

He did this quite legitimately, by requesting and receiving access rights to data he needed to perform the tasks he was hired to do.

Eventually, he had accumulated enough access rights, to enable systematic download of information.

If the NSA had had full visibility to Snowden’s privileges, alarm bells would have gone off, and rights could have been revoked, to ensure that no one – and certainly not a contractor – had access rights and user privileges, to the extent that Snowden did.

Panama Papers – who had the wrong rights?

A contender to the “Most Spectacular Leak” title is the recent Panama Papers scandal. The 11 million documents leaked to global media have shamed corporations, politicians and celebrities and fuelled the climate of distrust between ‘the people’ and ‘the establishment’.

While we do not at this point know the details of how the leak happened, I am not afraid to make a few assumptions.

For example: The sensitive information in the documents and the sheer volume of data suggest that an autopsy of the leak will include findings about IT security…

I will go so far as to guess, that the findings will fault the IT security efforts of Mossack Fonseca.

Secondly, I think we can assume that whoever was behind the leak had extensive access rights and user privileges. Far more extensive than just about any employee should have. So presumably, the source of the leak is either very high up in the organization – or is an employee or subcontractor who, like Edward Snowden, accumulated these rights over time, and under the radar.

I am also inclined to think that the law firm has been aware that IT security is a discipline to be considered, in a business that relies heavily on digital processes and stores large amounts of highly sensitive information for customers.

That Mossack Fonseca did not have their identity management and access governance in place, may be a simple matter of risk assessment gone wrong: the cost and resources required to implement the appropriate security measures may have been deemed too high, to be worthwhile. I suspect that, in hindsight, the conclusion of said risk assessment would be different.

And if the cost of IT security solutions were the issue, perhaps a few of Mossack Fonseca’s customers would be up for a bit of crowd funding, to help pay the bill…?

And you – who has access to your data?

These two high-profile incidents illustrate why identity management and access governance is an absolutely essential discipline in IT security.

Controlling who has access to corporate data will help you prevent damage from leaks from within the organization, simply by ensuring that no one individual can access too much data.

Controlling user access will also help you control the damage done by hackers attacking from outside of the organization, making it very difficult to retrieve data once they have made their way into your infrastructure.

While most employees do not go to work with malicious intent, they do make up one big soft spot of entry points for hackers, who worm their way into systems on the back of the employees’ user access right.

Effectively, they become a risk, simply by doing their jobs.

The bottom line:

You must conduct your everyday business on
the assumption that persons with malicious intent are present in your infrastructure at all times. If that assumption is your baseline, and your organization acts accordingly, you are a long way towards healthy, security conscious policies and procedures.