Getting and the keeping IT security issues on the corporate agenda is not always that easy. Business executives are easily distracted by any number of other pressing issues. So when IT security manages to find its way into the popular psyche, IT security professionals should take every opportunity to share a few object lessons with their colleagues.
One such opportunity coming up this month will be too compelling to ignore. On Sept 16, Snowden the movie will be released. As an example of havoc that can be wrecked by a trusted insider there is, at least thus far, no greater example of what can go terribly wrong.
While some may hail Edward Snowden for releasing National Security Agency (NSA) that revealed the scope of domestic spying being engaged in by the U.S. government, the fact remains disclosing those documents was a crime. To what degree those disclosures represent an act of treason remains one day for a court or the president of the United States to determine.
But the one thing that is clear is that Snowden had access to documents that he never should have had in the first place. Like a lot of organizations, the NSA simply got sloppy when it comes to managing privileged access. In fact, a recent “IT Needs More Control Over Network Access Privileges” report issued by BeyondTrust suggests that there is very little consistency between how one organization versus another manages privileged access inside their organizations.
There’s a natural tendency for senior business and IT leaders tend to trust their insiders. After all, they’re all engaged in one great enterprise or another with each other. But today’s trusted lieutenant can easily become tomorrow’s disgruntled employee when, for example, somebody gets passed over for a promotion because of internal corporate politics have gotten out of hand. Often the best case scenario is that employee takes knowledge they probably shouldn’t have to a competitor. Worst case scenario is they leak that information in a way that create legal liabilities for the organization.'Today’s trusted lieutenant can easily become tomorrow’s disgruntled employee...'Click To Tweet
Of course, the fundamental issue is who inside the organization is actually responsible for determining who should have access to what. Business leaders somehow think that the internal IT team has some magic formula for figuring that out. The IT department is only the mechanism for granting access to various files. They can monitor who accessed what at any given time. But it’s up to the business units to determine who should access to anything. The trouble is that most business unit are good at vetting who initially needs access to what files to do a particular task. Most of them, however, are horrible at remembering to rescind that access when a person takes on a new role in the organization. After a few couple of years, it’s not uncommon for an employee moving up and across the ranks to have access to all kinds of files they probably no longer have any business using.
The Human Resources department in most organizations these days is always on the lookout for ways to promote better bonding across the organization. One suggestion would be to take the senior leadership team on a field trip to see the Snowden movie together. If the Snowden movie doesn’t imprint the need to better managed privileged access on their brains nothing much else ever will.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.