After WikiLeaks began publishing secret U.S. diplomatic cables in late November, a number of pundits, including ex-Alaska Gov. Sarah Palin, asked how the federal government failed to detect and prevent the disclosure of the classified data.
“How was it possible that a 22-year-old private first class could get unrestricted access to so much highly sensitive information?” Palin wondered on Facebook. “And how was it possible that he could copy and distribute these files without anyone noticing that security was compromised?”But sorting out identity and data leakage challenges, especially at organizations the size of government agencies, is not always east, especially when access to and the sharing of information is critical to one's job, security experts said. Thus, deploying too restrictive of controls may lead to performance declines and employee backlash.
“You can't impede 99 percent of the users in the hopes of stopping one percent of them,” said John Pescatore, Gartner vice president and research fellow. “A bigger risk is if the business slows down.”Wade Baker, director of risk intelligence at Verizon Business, said the actions of whistleblower Bradley Manning, the soldier who shared the sensitive data with WikiLeaks, fits the classic profile of a trusted insider gone rogue.
“It has many of the same characteristics of many of the breaches we [have] looked at,” Baker said. “You've got a person with access to more than they need to perform their job.”According to Verizon Business' 2010 Data Breach Report, a majority of organizations are slow to detect data-loss incidents. In addition, 48 percent of the breaches studied were caused by users who abused their access rights.
Both the public and private sector, though, appear to be reacting. For example, since the first cables were published, McAfee has seen a three-fold increase in requests for security assessments. Baker said a recent conversation with a federal government CISO revealed that “the whole insider thing is now at the front of their radar.”
Technologies such as data leakage prevention, database activity monitoring, digital rights management, data tagging and identity management can help, but all have their limitations, experts said. In the end, any security changes must strike a balance.“People need to share information,” Baker said. “They just need to share the right information with the right people.”