Re: ZDNnet: Securing data from the threat within [by buying products]

[Crispin Cowan <crispin () immunix com>]

I completely disagree. I find the article to be timely and informative.

What Kenneth suggests (use of RBAC) will not solve the problem. First of 
all, RBAC is not practical to deploy in most situations; companies are 
still trying to cope with AV and firewalls, and just beginning to think 
about host and application security. RBAC is completely beyond them.


But even more important, RBAC will not actually address the problem that 
this article describes. The organizational secrets that are being leaked 
are being leaked by people who actually have access to the data, and 
thus RBAC would just grant them the access. An access control solution 
to this problem would require something far stronger than RBAC, in the 
form of an MLS solution that does not allow a user to pass information 
from a "high" to a "low" security domain, and these MLS solutions are 
even less enterprise-friendly than MLS.


In light of all that, it does make sense for enterprises to consider 
network-level solutions like these.


On the other hand, enterprises should stay cognizant of the "sneakernet" 
hole: if you deploy all this stuff, it is still trivial for an insider 
to walk sensitive data out the front door on a USB memory stick, a CDR, 
a blue tooth phone, etc. that the network-level products will never see.


Crispin

Kenneth R. van Wyk wrote:


Greetings all,

I saw a moderately interesting article this morning on ZDNet (see 
http://news.zdnet.com/2100-1009_22-5520016.html?tag=zdfd.newsfeed for the 
full text).  The premise of the article is about how companies have been 
building external perimeters for years and now they need to also protect 
themselves from insiders, because, "...now discontented, reckless and greedy 
employees, and disgruntled former workers, can all be bigger threats than the 
mysterious hacker."


The article goes on to list some new products, technologies, and methods for 
protecting data from the insiders.  It says, "a whole new class of products 
has sprung up aimed at keeping employees and other insiders from sending 
confidential information outside the company."  It describes network-level 
products as well as the need for client-level products for monitoring and 
controlling data flow.


IMHO, what's missing here is a discussion on writing better enterprise 
applications that make effective use of concepts like role-based access 
control, transaction/event logging and monitoring, etc.  In fact, the article 
would lead an IT security manager to think that the only solution to insider 
problems is to buy more security products.  Frustrating...


To find a fairly "mainstream" article like this that is (again, IMHO) so 
thoroughly off base really makes me wonder whether the Software Security 
community is making progress or not.  Opinions?


Cheers,

Ken van Wyk
 



--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com