Update: It has been several weeks since the Snowden leaks and, at time of writing, his every move, real and virtual, is being tracked by the media. While Snowden having access to top-secret information was mentioned briefly, as noted in this column, it wasn’t until weeks after the leaks (and months after the documents about the PRISM system and other NSA activities were being siphoned off the NSA network of systems) that attention finally focused on access management. Christopher Drew and Somini Sengupta wrote an article in The New York Times, dated June 23, 2013, on “NSA Leak Puts Focus on System Administrators,” available at http://www.nytimes.com/2013/06/24/technology/nsa-leak-puts-focus-on-system-administrators.html?pagewanted=all&_r=0 General Keith Alexander is quoted as saying that the NSA would institute a two-man rule among its 1,000 system administrators. This “closing the barn door” approach is better than none, but still could be subject to collusion or coercion leading to further leaks. Perhaps you recall movie scenes where one operator pulls a gun on the other operator in an attempt to force him to turn the key to release nuclear missiles.
Infosec professionals have known for decades that those “insiders” with privileged access are the greatest risk and have put special processes and procedures around them. I recall sitting on an Application Access Review Committee where we carefully reviewed every request for access by users and technical staff, approving some, denying others, and accepting some if compliant with special protective procedures. And then there was a procedure whereby a developer needing access to fix a production system was given an envelope with a secret password in it. The developer would access the system under supervision and after the work was completed a new secret password was set and sealed in an envelope in a locked drawer. This system, which was in common use, was superseded by automated methods.
The common view is that at some point you have to trust someone or, in the case of the “two-man rule” you need to trust one out of two. This doesn’t have to be the case. There are sophisticated methods where such trust is not required. Public-key encryption is an example (although there is a need to trust the Certificate Authority, which doesn’t always work).The methods may be costly, complex and difficult to operate, but they are often justified if the secrets are valuable enough.
That being said, here’s the original column …
****** In response to the leaks of NSA (National Security Agency) secrets by Edward J. Snowden, most reporters, officials and much of the public are concentrating on issues of privacy and oversight of telephone conversations, emails, and other forms of communication as well as the travels of Mr. Snowden as he hops from one country to another. However, few are raising serious and insightful questions about his being given privileged access to such sensitive documents and data. When asked in testimony before the U.S. Senate Appropriations Committee on June 12, 2013, about how a low-level staffer, such as Edward Snowden, could have gained access to such highly classified documents, Army General Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, replied that he would look into the access management process and make sure that it was corrected. Wall Street Journal reporter Siobhan Gorman also brought up the issue in an interview with Charlie Rose.
As an information security professional, I find this apparent deficiency of access control, particularly of insiders (including contractors), by the premier security agency in the country, if not the world, to be at once baffling and very disturbing. You would think that the NSA would have greater control over and understanding of those who are able to access, read, copy and exfiltrate highly-sensitive information. So I thought that, in order to better understand the issues relating to insider access, we might re-evaluate the typical steps in the IAM (Identity and Access Management) process in order to see what may have gone wrong and why. I should say, at this point, that this discussion does not imply that the NSA doesn’t do what is recommended here since I have no personal knowledge of any of NSA’s IAM systems.
The first phase of any IAM system is “identification,” beginning with the “registration” of individuals. How well do background checks screen out potential problem employees and contractors and are they able to anticipate future nefarious behavior? The initial examination in the U.S. government’s clearance program is certainly rigorous and, based on the very low number of those who are seen to break the trust that is put in them, it appears to be highly effective. What is needed, however, are timely updates to such reviews as people’s attitudes, access and abilities change over time. This is hard to do and expensive but, even in the private sector, I have seen more frequent and deeper background reviews for those with privileged access to highly sensitive systems and data. There is no question that individuals’ circumstances and opinions change over time and, when such changes are not detected and acted upon, we see the potential for very damaging “insider” activities, where contractors are also viewed as insiders. In some respects, the leaking of data is possibly the lesser of two potential evils, particularly by trusted system administrators. These individuals hold the keys to the kingdom and are often in a position to undermine the integrity of systems and data, damage systems and, at the extreme, destroy systems and the data on which they operate.