Insider threats force balance between security and access

WASHINGTON — There may be no single solution to the complex challenge of protecting against insider threats within the enterprise, but IT leaders can help their cause with prudent policies that put limits on who can access what kinds of data, and working to boost awareness of security issues throughout the organization.

So argues Michael Dent, CISO of Fairfax County, Va., who spoke at a panel discussion on insider threats along with other security experts at a recent government IT conference hosted by Symantec.

What constitutes an insider threat?

As a starting point, Dent contends that organizations must broaden their understanding of what constitutes an insider threat, acknowledging that in the typical enterprise access to sensitive systems and information runs well beyond in-house staff.

“The insider threat comes in so many different ways that there is really no magic answer, I think, for anyone,” he says. “People need to understand that insider threats aren’t just your employees. They also are your contractors, your vendors — your volunteers, potentially — that come in and work for you.”

In terms of technical measures in areas like access and authentication, Symantec CIO Sheila Jordan sums up the rough consensus of the panel: “I would say that we have come a long way, but we kind of have a long way to go.”

Panelists point out that traditional perimeter defenses such as firewalls and intrusion detection aren’t going to help when the threat is coming from within. “Insider threat is not going to be stopped by that,” says Prem Jadhwani, CTO at Government Acquisitions, a value-added reseller focusing on the government IT space.

Security is a data problem

But while the term “insider threat” typically conjures a rogue employee deliberately stealing data or spreading malware from inside the firewall, putting policies in place to address those types of bad actors is “relatively easy,” according to Jordan.

She believes that it is far more difficult to develop an appropriate framework for access and permissions that strikes a balance between strong security protocols and an increasingly fluid workplace where more and more employees — with no malicious intentions — are expecting to be able to work remotely and on a variety of devices.

That argues for a more carefully considered approach to where various types of data and applications are housed, and what levels of access should be afforded to employees and vendors.

“At the end of the day, security really is a data problem,” Jordan says.

In the Washington suburb of Fairfax County, the government experienced a data exposure that could come under the category of insider threat, though Dent explains there was no intent on the part of the individual responsible, but rather the issue was one that could be addressed through policy and training.

“We had a vendor who took data from the county on a USB — very innocently — he thought he was doing some shortcuts and some help to the county, and he ended up exposing some county data for over two years on an unsecured file share from his company,” Dent recalls.

That sent the county scrambling to mitigate the exposure, including notifying employees and citizens whose information might have been compromised.

Today, Dent’s organization runs on a “least-privilege” system, strictly limiting access to certain data assets based on job function and responsibility. That includes particularly tight controls barring remote access to industrial-control SCADA systems, he says.

Fairfax County has also implemented a tough policy for offenders who violate the organization’s data-access rules. On the first offense, Dent explains, the employee will go through a training program. The second time around, it will trigger an intervention by the human resources department, and the third offense is grounds for termination.

But beyond the access restrictions, Dent has adopted an approach that aims to extend the responsibility for data security beyond just the IT department.

“I put the onus back on the data owner. Us in IT, we are the data stewards, but the data owners, they’re the ones who are responsible truly for that data and how it’s protected,” he explains.

“And it’s amazing when you put that risk back on those data owners, when they’re asking for exceptions to your policy so they can send a copy of a production database out to a vendor to do some programming or some configuration, then you turn around and you ask them, ‘Well, what’s in the data?'” Dent says. “Then they start to think about it. Then they’ll come back, most of them, and they’ll adjust their request or pretty much they ask that their request not be done, and we end up bringing the vendors in securely.”

That approach meshes with a message Jordan and others have been carrying forward — that any effective security framework must involve the whole of the enterprise and win buy-in from senior leadership and the various business lines of the organization.

“Security is not an IT issue, and it’s not just a CISO issue. It’s everyone’s business,” Jordan says.

“Security is not an event,” she adds. “You’ve got to embed it into the overall DNA of your organization.”