SailPoint’s Ben Bulpett considers how small errors in security can leave identity at risk.
Learn more about SailPoint Predictive Identity™.
Ben Bulpett: Hello, my name is Ben Bulpett and welcome to this Identity Talk.
Captain Tim Lancaster was hanging out of the window of BA5390 at 17,300 feet. It was two and a half millimeters that nearly cost him his life. Flight BA5319 was ready for takeoff with 81 passengers on the ninth of June 1919 traveling to Malaga, Spain.
30 minutes after takeoff the plane was at 17,300 feet when a loud bang was heard by passengers and the cabin depressurized in under two seconds. One of the cabin stewards rushed into the cockpit to find our copilot Alastair Atchison trying to regain control of the aircraft while Captain Lancaster had been sucked out of the pilot window only his legs still in the aircraft.
24 hours previously the plane a BAC One-Eleven jet airline had received a maintenance check and during the process a maintenance manager who we will call Tim noticed that 90 bolts on the windscreen of the aircraft needed replacing. As he removed the bolts he took one to the store room and compared them with the numerous other bolts.
He correctly identified the ones he needed visually and with no reference to the manual. He grabbed hold of the other 89 bolts but realized he was short by six. So as to avoid delay Tim drove off to another store area using his access and grabbed hold of the six bolts that looked similar to the others.
At this point his access to the second store was not checked and he didn’t check the store locator as to where the bolts were located. Instead he read the label on the drawer and just knew the bolts he grabbed were correct. Back at the aircraft Tim got to work replacing the bolts on the windscreen. Unfortunately, Tim did not have the right wrench or screwdriver. He decided to take a top limiting screwdriver set into 20 pounds of turning force. This will be plenty he thought. Unfortunately, Tim’s wrench and driver were not the exact match and were slightly short for him on the upper bolts on the upper side of the windscreen.
Leaning over the safety raiser he can just reach the upper window bolts, but it required patience, balance and was a fiddly job as a couple of the bolts were not the correct ones for the window, when the torque was achieved the wrench slipped slightly. Tim thought it will be fine.
So how is all of this relevant to identity? Well, how many of our staff from being with our company still have access and the ability to access their previous roles, applications and data? How many teams have we moved in the organization without checking or reviewing their access to obtain information that may be inappropriate for their new role?
Tim was a manager and whilst his previous role was an engineer, no one checked his work that evening on the plane. It was assumed he knew what he was doing. How many of our staff are just given access to platforms and applications because it’s always been that way? Surely we need a platform that is constantly checking and recommending access reviews or even access revocation.
All of us have staff like Tim who are just trying to help or be good corporate citizens, but in this case Tim’s elevated position gave him access to an unchecked store room and equipment that should have been checked and questioned. He also overrode the system by not using the right tools.
In the world of IT access, he used his elevated access to bypass the systems to just get the job done. In the subsequent investigation it was highlighted that Tim had chosen the wrong bolts, he did not follow the correct procedures and no one checked his work. The bolts Tim fitted were 2.5 millimeter shorter than the correct bolts. So, these could be easily ripped from their thread and when six we repulled out this caused the window to explode.
Copilot Alastair Atchison was able to regain control of the aircraft, land safely and fortunately everyone survived. The steward managed to hold onto Captain Lancaster’s legs who spent 22 minutes outside of the aircraft and made a full recovery. Eventually, returning to flying.
It’s crucial companies have an appropriate identity platform which can ensure that as people move throughout their organization that the Tims of this world are managed and controlled. And if anyone tries to bypass the system or overwrites their access, the platform automatically notifies the appropriate authority, makes recommendations and can take action to protect by removing access automatically.
So to avoid a two and a half millimeter mistake, think about deploying an identity governance first strategy from SailPoint. Thank you.
Find out how identity governance can help you.