
Losses from insider threats can be spectacular: in just three days in January, 2008, Société Générale lost about €4.9 billion ($7.2 billion at then-current exchange rates). The bank blames a trader—familiar with access controls from years spent in its compliance department —for fraud, forgery, and attacks on an automated system. But less dramatic losses have become almost routine: the Privacy Rights Clearinghouse documents a long and growing list of financial and other personal information breaches, many due to dishonest, vengeful, or merely careless insiders.
Controls and complexity
Access controls have evolved to meet the challenges of insider threats to organizations and networks. They start with physical checkpoints: receptionists in corporate lobbies and card readers at data center doors. But today's porous networks and extended enterprises allow former outsiders — guests, contractors, temporary workers and non-employee visitors — past those checkpoints, and grant them varying degrees of access to networks, applications and data. On the network, security may actually become inverted, where openness is needed to make former guests productive, and make organizations successful. And off-shoring and near-shoring practices open networks to organizations that don't share physical facilities.
Organizations try to adapt their physical, electronic and process controls to manage access to these multiple networks, applications and databases, all based on policies that align permissions to business roles.
This complexity raises problems of its own. Consistent application of policies is a never-ending challenge for security personnel: user roles change constantly, and while granting access is often an emergency, withdrawing it rarely is. This systematic bias can lead to "access inflation": greater and more widespread access, punctuated by intermittent panics and audits. It's an invitation to disaster, a red flag for regulators, and no way to run a business. But what can be done?
Establish disciplined, granular policies
Access controls for this new threat environment require a disciplined approach based on clear policies. Starting with established authentication policies, policymakers should add granularity to cover:
* high-security and high-risk data, applications, and network zones such as personnel, human resources, finance, and research and development, and others to protect sensitive data and their precious IP
* personnel roles and responsibilities down to individual identities, taking care to maintain separation of responsibilities where regulations, standards, and common sense require it
* site-wide visibility to cover every organizational responsibility and network leg, for monitoring, deterrence, and forensics support to pinpoint any policy exceptions