By E.K. Koh
The blog What the Snowden affair taught us questioned, “Why should a system administrator be allowed to download and move files? Shouldn’t system privilege and data privilege be separate?”
Ideally “yes”, but in practice, that has not been the case.
Most system administrators have unfettered access to data given their system privilege. This happens because their jobs often require them to be able to move and copy data and documents. However, not all documents are the same and depending on the classification of the document, certain restrictions may be required. For example:
a) You may choose to allow administrators to only move or copy files with certain security classifications, or
b) You may choose to allow administrators to move files to certain designated locations, but not onto USB drives, or attempt to FTP or email or print certain classified files, or
c) You may choose to restrict access or usage privilege based on the location of the administrator; for example, access can be curtailed when the administrator is traveling, or when accessing data from a remote or unapproved device
The above are some simple examples of finer grained data-level controls that would have made it harder for someone like Snowden to copy the classified files. Controls that are finer-grained and data-centric go beyond privileged access management, which typically provides shared ID management, in addition to system and account discovery and system-level access monitoring. Privileged ID management solutions can facilitate privilege ID usage, monitor and detect infractions, but not necessarily prevent them before they occur. Many privileged access management tools also tend to be system-based and coarse-grained (for example, block access to certain applications or system privileges), but often cannot provide data level access or usage control. While sandbox controls like this one may be identity-aware, they may not be granular enough to permit authorized data handling that needs to occur.
Other less specialized solutions, such as data protection or DLP, may also come up short for this use case. DLP often focus on scanning and blocking sensitive data at the network perimeter, failing to address several key problems:
a) the majority of data loss actually occurs within the corporate network; in the case of Snowden, he simply copied it to his USB drive or perhaps printed hard copies
b) necessary sharing must occur outside the network; for example the author of a classified document often has legitimate need to email a version to a co-author, but existing solutions would often block the email or sharing based on simple keyword scans
Unfortunately, a solution that blindly blocks all sharing or copying will not be accepted by the organization. Data level controls need to be:
a) Identity-aware: depending on who the person sharing the file is and who he is sharing the file with, the software must apply the appropriate controls
b) Content-aware: depending on the security classification of the person (identity-awareness) and the security classification of the content (content-awareness), the control method could be different
c) Context-aware: depending on contextual elements, such as where the user is, time of day, where the file is being copied or moved to, or which application is being used, the control method could be different
The above requirements call for finer grained attribute-based access control (controls based on attributes of the user, the content he is accessing, and the context in which he is using the content). NIST recently published their Guide to ABAC, an indication of the emerging importance of this technology.
The NIST report lists a second benefit of ABAC beyond fine-grained controls: controls that can be applied to data across systems, applications, and devices across the entire enterprise. A data-centric solution applies controls across the entire data lifecycle (as the data moves from the author’s PC to a file server to an intranet portal such as SharePoint).
Both granularity and coverage are the key components of solution that can stop rogue administrators like Snowden, but also support legitimate collaboration.