WikiLeaks is an Access Management Issue

Michael Vizard

As all the aftershocks of the WikiLeaks scandal continue to play out across the globe, you can't help but wonder how things might be a little different if the federal government had an effective access management system in place that gave people access to information based on who really needed to know what.

As much as people like to focus on the dangers of removable media-which the U.S. military is now apparently getting ready to ban-the fact of the matter is that the individual suspected of freely sharing all this embarrassing information should never have had access to it in the first place.

There's not much that can be done about that now. But every IT manager knows that when it comes to intellectual property and access management in their organization, the sad truth of the matter is that most IT organizations have never done anything more elaborate than give people a password to access their systems. Once they get into those systems, there are no real meaningful controls in terms of preventing people from accessing files they should not be seeing. All it really takes is one determined insider with the means, motive and opportunity.

The real problem is that access management is difficult to deploy and to effectively manage. Companies such as ActivIdentity have simplified the deployment process by installing their software on appliances. But somebody still has to manage the software and then determine on a regular basis which individual should have access to what information. All too frequently, the IT department doesn't have the budget to acquire and manage access management software, and even if they do have the budget, they have no idea who should have access to what information.

Todd Freyman, director of government markets for ActivIdentity, says that longer-term access management will probably morph into a service that will be delivered via the cloud using virtual appliances. But even then, somebody within the company will actually have to spend time classifying information so the system will know how to apply the appropriate access policy.

Naturally, things will get worse before they get better given the rise of bigger USB memory sticks and all sorts of mobile computing devices that make it easy to download files and send them just about anywhere. So just remember the next time someone asks, "What we're they thinking when they let all those State Department cables walk out the door?" chances are more than high that your organization is no better when it comes to access management. The only real difference is that not as many people might be affected by or care about your company secrets. But the fundamental principles and underlying root causes of the problem are sure to be the same..

Add Comment      Leave a comment on this blog post
Dec 13, 2010 9:12 AM Finn Frisch Finn Frisch  says:
Mike, while I do agree with your that we're seeing the effects of failing access management here, I fear the failure to provide "access to information based on who really needed to know what" in some instances may have been intentional rather than accidental. In recent years, many organizations have explored possibilities to move away from a strict need-to-know paradigm towards principles that recognize their identified need to share information across security domains. In many instances, an inability to efficiently share information and to make it available to new types of users introduces unacceptable risks of other kinds. State agencies need to collaborate more efficiently and this is not achieved unless information can be made available also to external users in a secure manner. However, the transition from need-to-know towards need-to-share seems to have been done with existing coarse-grained authorizations which, just as you point out, offer "no real meaningful controls in terms of preventing people from accessing files they should not be seeing". This can however be achieved today with or without the introduction of cloud-based services. True, information needs to be classified but in most real-world scenarios there is already sufficient meta-data about information available to allow fine-grained access rules to be defined, provided modern technology solutions capable of consuming existing attributes are utilized. Standardized solutions based on the eXtensible Access Control Markup Language (XACML) enable policy-based and fine-grained access controls for these types of scenarios. The standard is mature (version 3.0 soon to be approved) and technical solutions are proven and robust. Furthermore, especially in service oriented environments, these new technologies are fairly easy to introduce and deploy. So provided IT managers readily adapt to new need-to-share requirements by means of adopting new technologies for finer grained access controls, I don't think things necessarily need to get much worse until they get better. Anyone interested in XACML based solutions can find more information on Reply
Dec 17, 2010 5:12 PM Anonymous Anonymous  says:
Rather than panic, organizations should look at solutions such as SoThin Thin Client software which locks down devices, permitting use of only specified connections, applications and local resources, limiting the ability to download material as in the WikiLeaks case. The U.S. govt. uses thin client devices but didn't use a solution like this to centrally manage and update workstations from a management console and to lock those workstations so that users may utilize only those connections, applications and local resources, such as external USB drives, specified by the administrator. More info on SoThin Thin Client can be found here: Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.