WikiLeaks case proves need, challenge with ID management
WikiLeaks imbroglio unveils troubles with tying identity management to security
If any one recent event points to the need for things such as data loss prevention and information rights management, it’s the release in 2010 of hundreds of thousands of sensitive Defense Department and State Department documents and diplomatic cables by WikiLeaks. Ironically, it wasn’t caused by an advanced persistent threat or other sophisticated malware but by a well-known threat: a knowledgeable insider.
Still, it had the same effect. Shortly after the publication of the documents by WikiLeaks, OMB Director Jacob Lew ordered all federal agencies to review their procedures to prevent similar leaks and limit potential vulnerabilities, such as how documents could be downloaded and distributed.
"Such review should include (without limitation) evaluation of the agency's configuration of classified government systems to ensure that users do not have broader access than is necessary to do their jobs effectively, as well as implementation of restrictions on usage of, and removable media capabilities from, classified government computer networks," he wrote in a memo.
DOD responded with a slew of new and updated security measures, including issuing 500,000 hardened smart cards to secure network users, implementing a host-based security system that centrally monitors system configurations, deploying a device control module that disables the use of removable media except in very limited cases, and considering the possible future use of an audit extraction module, developed by the National Security Agency, that can use existing audit capabilities on host-based security systems to report questionable behavior.
However, the DOD response also highlighted some of the problems with using security such as DLP or IRM. As DOD CIO Teresa Takai told Congress in March, using role-based software to limit users only to the information they are entitled to is feasible, but it depends on defining the many different roles that users can play — no easy task — and identifying the information they need to fulfill those roles.
It’s the same problem that plagues the implementation of identity management systems. That technology has also been tagged as vital for government security. But in the context of what some government employees are asked to do, how do you define their identity?
At DOD, as Takai pointed out, intelligence analysts and operations planners need access to a wide range of data in order to do their job, and it’s frequently of the most sensitive kind. In that instance — something that’s similar at many agencies across the government — how do you apply DLP and IRM?