“Thwarting an Internal Hacker” – Monitor Access, Not Employees

I just read a Wall Street Journal article by Bruce Schneier, the CTO of BT and a renowned security author. The piece, “Thwarting an Internal Hacker,” is timely given recent security breaches hitting the news (including Heartland Payment Systems and Fannie Mae, which he references) coupled with the economy. I’ve already written about how the economy is producing a perfect storm for massive insider threats, and I agree with Bruce that companies need to evaluate their risk exposure.

Bruce highlights five techniques for companies that help them deal with trusted employees. The goal of these tactics is to prevent insider threats, or internal security breaches. In theory, I agree with Bruce’s points, especially those about quantifying trust levels and limiting the access that trusted employees have. These are both important strategies for corporations trying to proactively manage risk. I don’t agree with all of Bruce’s tactics, however, because he focuses on deciding which employees to trust and how to monitor them, which can be a difficult and delicate dance for companies.

Since most Fortune 1000 companies have tens of thousands of employees, it’s practically impossible to measure each employee’s “trust” level. Further, most corporations do a dismal job of maintaining good controls over access, allowing employees and other insiders to accumulate privileges well beyond those required to perform their current duties. My belief is that companies need to ensure they have full visibility into what access levels each of those employees have, and whether they align with the corporate policy (for example, an employee shouldn’t be able to set up a vendor in the system and pay that vendor).

This full visibility into user access across the enterprise allows companies to monitor the critical applications, as well as who is accessing them. It also allows them to prevent access when necessary, or terminate it upon an employee’s firing – precisely when an employee suddenly has a motive to do damage. For more advice on this topic, we just posted a podcast discussing how organizations can avoid security breaches (and failed audits, by the way) with an identity governance strategy that provides visibility and control over access to critical IT resources within their organizations.

What do you think – is your company taking a proactive approach to identifying risk exposure tied to user access?