Don't blame the employees for peeping: Organizations are at fault for poor access governance
Brian Cleary vice president of products and marketing, Aveksa
A recent example of this trend occurred recently when it was revealed on Nov. 22, 2008 that Verizon had fired several employees who had looked at the cell phone records of newly elected president Barack Obama. Politicians and celebrities use cell phones, apply for passports and seek health care at major hospitals just like everyone else. Employees at these organizations need to realize that unless there is a job-related reason for them to access these records, even sneaking a peek at them is a very bad idea. However, the real problem here is not the natural curiosity of employees, but rather the poor controls for how user access is governed at these organizations.
Obama has been a prime target of these types of attacks, with three different unauthorized data breaches on his private records in the last year alone. This type of incident is something that is fast becoming a trend that companies that store sensitive personal records of politicians and celebrities have to deal with every day. Organizations are reporting with increasing frequency that their employees, out of personal curiosity or other potentially more devious motivations, are "peeping" at the account records of public figures, and suspensions and firings are being announced on an almost weekly basis.
While organizations are quick to point out that they have specific policies related to accessing sensitive information, too often these policies are confined to a three ring binder on a book shelf in the IT security or compliance office. It is wishful thinking to believe that employees will internalize these policies through training and make them part of their daily operating practice and procedure. To be effective and consistently applied, policies need to be instantiated as a set of automated controls.
Some recent access-related examples worth mentioning include:
Candidates' passport records – In the spring of 2008, the passport records of Presidential candidates Obama, John McCain and Hilary Clinton were all illegally accessed by State Department workers. In fact, since that first disclosure, three employees of the state department have pled guilty in court to illegally accessing the records data of politicians and celebrities. The latest court case was just settled on January 28, 2009. As part of his guilty plea Gerald Lueders acknowledged that between July 2005 and last February, he logged into the State Department's Passport Information Electronic Records System (PIERS) and viewed the passport applications of more than 50 politicians, actors, musicians, athletes, members of the media and other people.
Joe the Plumber – In October 2008, government computers in Ohio were used to illegally access personal information about Samuel Joseph Wurzelbacher, otherwise known as "Joe the Plumber.” During their October 15 debate, presidential candidates Barack Obama and John McCain referred to "Joe the Plumber" constantly. In the days following the debate, information on Wurzelbacher's driver's license or his sport utility vehicle was retrieved illegally from the Ohio Bureau of Motor Vehicles database three times.
UCLA Medical Center –In March 2008, it was revealed that a total of 126 employees had been fired at this hospital according to the Los Angeles Times. Workers inappropriately accessed the records of Britney Spears and Farrah Fawcett, and one employee sold this information to a national tabloid in violation of the Health Insurance Portability and Accountability Act (HIPAA).
Shands Jacksonville Medical – In October 2008, 20 employees—including nurses, admissions workers and patient relations staff—were fired for inappropriately accessing Jacksonville Jaguar Richard Collier's medical record. Collier had been hospitalized for more than a month following a shooting in Riverside.
What can an organization do?
There needs to be more focus on ensuring that the entitlements employees have to information resources, are required for their particular job function. It is not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted, transferred or temporarily assigned to another department within the organization. Users that drag excess entitlements into their new role may create toxic combinations of access that often result in segregation-of-duties violations or create other business risks. These are surprisingly common problems in large organizations, and they are natural consequences of the usual pressure on IT departments to provide access quickly when employees are transferred or promoted into positions that require new sets of entitlements.
Organizations that leverage role-based access governance are able to put automated controls in place for access delivery and access change management to ensure that user privileges are appropriate to their particular job function or process role. As a result, access to personally identifiable information is effectively governed based on a valid business reason for access, mitigating business and compliance risk.
Specifically, role-based access governance should address:
Controls automation: Organizations need to implement automated controls for access delivery and change management that ensure policies are being applied in a consistent fashion and access related risk is avoided. A process based on event-driven controls needs to be put into place to address change (join, move or leave) to a user's relationship with the organization. Organizations that leverage enterprise business roles will not only strengthen their policy framework, through a set of preventative controls, but will also be able to speed up access delivery and ensure better accuracy.
Remediation & validation: When change is required to a user's access, ensuring that the change request took effect (entitlement assignment or revocation) is critical. Having an automated, closed-loop remediation and validation process will ensure that application owners and system administrators have executed on the access change request in a timely fashion.
Access review and certification: Whatever the cause, organizations that do not certify access on a regular basis are most susceptible to “entitlement creep” and to prolonged exploitation by system intruders whose access, once established, goes unnoticed. Review and certification provide a set of detective controls that are typically required by many regulations and industry mandates such as SOX, PCI, HIPAA, FERC/NERC and FISMA (to name a few).
With a roles-based access governance approach in place, an organization will be well on its way to managing the business and regulatory risks of inappropriate access to its information resources. The right solution requires a strategic approach for access governance that is based on automated business processes and controls for managing the constant change to user access while ensuring visibility and accountability of access across the entire enterprise.
Brian Cleary is vice president of products and marketing for Aveksa.