There is a proven method for preventing the kind of leaks of highly classified documents that are recently in the news. The regulators, security experts and military doggedly keep trying to make their ineffective methods work, ignoring decades of failure.
While there's lots of detail, the basic approach of the security method all the authorities insist will keep our secrets and confidential information safe is simple:
- For outside attackers (hackers), build walls that are thick and high and have locked and guarded front doors. Keep the bad guys out!
- For traitorous insiders, enforce elaborate background checks to assure that only properly vetted employees have access to secret documents. Everyone who can access documents is a certified good guy!
Makes common sense, right? Everyone thinks so. The trouble is, the methods don’t work.
- Outsiders: In spite of ever-growing stacks of detailed regulations, the bad guys keep breaking in. While not in the news, there are literally dozens of successful ransomware attacks per day. The walls never seem to be thick or high enough.
- Insiders. Edward Snowden, Bradley/Chelsea Manning, and many others less famous. A large fraction of the giant data thefts from corporations and governments were done by insiders. The certification of good guys is never good enough.
So what can be done? Retailers of expensive goods have been using methods that work for a long time. Even some libraries use the methods! They can be translated to work for computers, something which has been done in various places for decades. For reasons known only to them, the authoritative Experts continue to ignore the method that works.
In simple terms, what works is comprehensive, highly detailed surveillance. Every person who accesses any computer in an organization has to log in. Once logged in, every system supports controls on what the person can see and do. If you're a customer service person, for example, you can access customer records, but not the organization's financial records. The idea is that each person has a normal pattern for interacting with the system, and deviations from that normal pattern should be flagged and examined; if the deviations are strong, the person's access should be halted until the issue is resolved. Suppose the normal pattern for a customer service person is that each time they take a call, they find and interact with a person's record. The system knows and routes every phone call. What if the person suddenly starts accessing more customer records than the phone calls they handle? If it's more than a couple, a red flag should be raised.
In the case of the IT person who appears to have stolen the confidential documents, there is no way a person with that role should be accessing such records! WIth a good surveillance system in place, their access would be immediately revoked after the first access and someone would find out what the problem was.
Comments