C. Warren Axelrod

Confirmation of NSA IAM Deficiencies

I read an article by Neil McAllister in The Register of August 30, 2013 confirming many of the suppositions that I made in my July 1, 2013 BlogInfoSec column “NSA: IAM … What IAM?” The article “NSA: NOBODY could stop Snowden—he was a SYSADMIN: Virtually unfettered access blew sensitive docs wide open” … available at http://www.theregister.co.uk/2013/08/30/snowden_sysadmin_access_to_nsa_docs/ … quotes my colleague Jason Healey and others. One of the most telling comments in the article is by “an insider” who says that “It’s 2013, and the NSA is stuck in 2003 technology.”

Many of the issues mentioned in McAllister’s article are very similar to those that I had brought up in my column two months previously, namely, inadequate background checks, excessive access to applications and data, insufficiently restricted exfiltration or leakage of information, and lack of adequate monitoring capability.

So what has been accomplished by stating all these suppositions? Really not that much. I even question whether 2013 technology would have made a significant difference in the Snowden case. The reason for my thinking is that, while there certainly have been some advances in the IAM (identity and access management) arena and in the detection and prevention of intrusions and anomalous activities, a proper implementation of policy, systems and procedures using decade-old methods and technologies might well have done the trick.

As indicated by the mitigation moves by NSA, which are described in McAllister’s article, such as reducing the number of sysadmins, reducing the number of users with access to secret information, and implementing the two-man rule for highly-privileged access, the fundamental problem is as much a people problem as it is technical. Unfortunately, even if the most rigorous personnel procedures are put in place, they will be relatively ineffective if the technology cannot handle the environment adequately. Background checks, strong authentication, restricted authorization and expanded monitoring only get you so far. What is needed are teams with in-depth understanding of the business and operational activities of the organization and the ability to determine who should access what the levels of authorization users need to be allowed to read, modify, copy and delete the information accessed.

As I have stated previously, it takes considerable effort and time, out of what might be considered a person’s primary role, to gather subject-matter experts with the appropriate levels of knowledge of the business activities and priorities as well as how these might be translated into policy, requirements and procedures right down to the technical levels. However, if such an investment is not made, there is little hope of improvement in getting a handle on the root causes and the solutions. The result will be some future “insider” saying “It’s 2023, and we are still stuck in 2003 technology.”

Post a Comment

Your email is never published nor shared. Required fields are marked *