Richard Stiennon is a well known and respected IT analyst – he has a blog called IT Harvest.
A recent post had to do with Trusted insider threats.Despite the length of the article, I believe that the article has a number of fundamental flaws:
- Overestimating the value of identity and access management in mitigating trusted insider threats
- Lacking empirical data to support the claim that “the insider threat actually outweighs the threats from cyber criminals, hackers and the malware”
- Missing a basic management issue of accountability
The role of identity and access management in preventing trusted insider security violations
Stiennon writes that IAM (Identity and access management) “is the single most valuable defense you have against the insider threat.”. I beg to disagree – and I will attempt to explain by using the model of a crime.
Like any other crime, in order to steal or disclose assets, a person needs a combination of means, opportunity, and intent
IAM provides the means for the trusted insider. Companies issue users legitimate user accounts with the rights to access certain data, applications, databases and file services. Insiders have knowledge of how the system works, the business processes, the company culture and how people interact. They know who manages the rights management systems and who grants systems permissions. With the right knowledge and social connections, means can be obtained even if they were not originally granted by design in the IAM system.
A trusted insider is an employee who is motivated by self-interest, influenced by personal preferences, social context, corporate culture and her aversion to risk taking compared with the premium gained by stealing data. There is little in the traditional access control model to mitigate any of these threats once access has been granted.
In 100 percent of the cases we investigated in our data security practice – the client’s permissions systems were working properly, the trusted insiders involved all had been granted appropriate rights, they did not perform any elevation of privilege exploits – they took data that they had appropriate access to. Directors of new product development, system managers, sales managers – each and every one that took and/or abused data did so with appropriate permissions.
Lacking empirical data
“While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on”
Stiennon doesn’t bring any evidence for this populistic statement. As a research analyst, I would expect some independent numbers behind the statement. Au contraire Richard – according to our data security practice of over 5 years in Europe and the Middle East (and according to the Verizon Business report, the past 2 years), insider events are a rare, high-impact event that are a complex interplay of agents ( criminals, competitors, business partners) and vulnerabilities (human and application software).
Missing a basic management issue of accountability
Stiennon talks about HR and IT. The truth is that there is a fundamental management disconnect between HR and IT (HR hires but has no accountability when an employee is involved in a security breach and gets fired) IT has some of the data and almost never shares it with HR. I suggest higher levels of HR accountability and involvement in data security together with their audit, IT and information security management colleagues.
I wrote about the great IT-management divide last year in my post on the 7th anniversary of the Al Queda attack on the US