Accessing all areas must stop; by Adam Bosnian – VP Products, Strategy and Sales at Cyber-Ark Software.
The following is an email conversation UK Ltd had in March 2010:
From: Dave Griffin, Managing Director
To: Elaine Pearce, CISO; Richard Winston, IT Manager
Subject: No Access to Sensitive Data – No Excuses
Dear Elaine and Richard,
You know we’ve been discussing the Data Protection Act (DPA), well I’ve just heard that The Information Commissioner’s said he’ll impose a £500K financial penalty from April for serious breaches. I don’t think we should wait to see if he’s all mouth and no action. There’s two days till the next board meeting and I want to show them you’re on the ball. Now, to give you somewhere to start, I’ve put a lot of thought into this and I’ve come up with a foolproof plan – don’t let anyone access the sensitive stuff who can’t be trusted. I’ll leave it in your capable hands.
From: Elaine Pearce
To: Richard Winston
Re email from David – we’ve been discussing the DPA have we? I thought we were talking and he was ignoring us. Typical, as soon as it’s going to affect his bottom line he starts barking orders and demanding solutions yesterday. And as for his light bulb moment of stopping those that can’t be trusted – genius, now why didn’t we think of that? AHHHHHHHH.
From: Richard Winston
To: Elaine Pearce
Well, someone’s had too much caffeine. Firstly, you know David, where money’s involved he’s no one’s fool and at least he did listen to our DPA chats even if he didn’t give us any feedback or budget. What this does mean is we finally have his attention, to implement some form of privileged access control. Obviously it’s impractical for us to determine who can and can’t be trusted, but he’s not completely wrong as that’s half the problem – you can’t really trust anyone. Let’s research the market and come up with a workable alternative. Sound good?
From: Elaine Pearce
To: Richard Winston
I was enjoying my rant but as always the voice of reason wins – sounds good. Where shall we start?
From: Richard Winston
To: Elaine Pearce
I think we need to work out who is accessing what and then we’ll know what we’re up against and identify a way to control it.
From: Elaine Pearce
To: Richard Winston
Access is just one element; we also need to know what they’re doing with it, why, whether they should and how it’s impacting our business.
From: Richard Winston
To: Elaine Pearce
Why do we need to do that, surely it makes no difference?
From: Elaine Pearce
To: Richard Winston
Okay, so the IT administrator, Sales Manager, HR Director, CSO, etc. everyone in the organisation currently has access to the customer database – what for, why do they all need to? I also question how we know if it’s actually them accessing it, or someone spoofing another user or application? This is the perfect opportunity to resolve this at the same time. If there’s a legitimate business reason then perhaps we stipulate a specific date and time for them to use it and, if not, maybe we can block their privileges altogether. Make sense?
From: Richard Winston
To: Elaine Pearce
Brains and beauty, who’d have known. I’ll research the market to see if there’s a way to make the theory a reality and let you know how I get on.
From: Elaine Pearce
To: Richard Winston
Sounds like a plan. I suppose, while we’re at it, we know the product pipeline and marketing strategy for the next 12 months would also cause problems if leaked. We should look to sort that too.
From: Richard Winston
To: Elaine Pearce
Definitely – the ICO probably wouldn’t be interested but I’m sure our competitors would be and we may as well cover our bottoms.
From: Elaine Pearce
To: Richard Winston
I don’t want mine exposed :-). With the customer database – does everyone need to see everything? Currently each record holds their address, security questions, order history and their payment details.
From: Richard Winston
To: Elaine Pearce
That’s a breach waiting to happen – we don’t need a third party, just a rogue employee. We definitely need the credit card details segregated from the security questions – no-one should see both.
From: Elaine Pearce
To: Richard Winston
The problem would be how to process payment of the orders?
From: Richard Winston
To: Elaine Pearce
We could write a home grown programme or an off the shelf solution that automates the payment of these accounts. Once the order is entered into the system the application would take over, collect the card details and get the payment authorised. What we would need to ensure is the way the programme logs into the database to get the card details isn’t open to attack. One way would be to instruct the programme to retrieve the log in details from an external source.
From: Elaine Pearce
To: Richard Winston
That’s why you’re IT and I’m Information – I understood the principle but I’m not sure I’d know how to make it happen. What about third parties – such as the auditors?
From: Richard Winston
To: Elaine Pearce
The auditor just needs to see the trail – who’s accessed it and what they’ve done to it. We can address the others as we go so we’ll need something we can continue to manage easily on an ongoing basis.
From: Elaine Pearce
To: Richard Winston
We need to control granting these privileges – not everyone should be able to do it and those that can are really privileged (pardon the pun :-)).
From: Richard Winston
To: Elaine Pearce
I think I’ve found something and it’s as if it’s been tailor made for us go to this URL : www.cyberark.com and have a look at the application identity manager information.
From: Elaine Pearce
To: Richard Winston
I’ve had a look and it’s fab. I think Dave will really like the virtual safe concept. I like the idea of finally having some form of control to grant privileges on a case by case basis. The tamperproof audit trail is also great as it covers the ICO’s requirements and also helps with Sarbanes-Oxley and PCI.
From: Richard Winston
To: Elaine Pearce
The bit that got me was the passwords being encrypted and also locked away as I’m always worried someone would stumble across the file ‘accidentally on purpose’ and make unauthorised changes. I’ll brief Dave ahead of the board meeting on Monday – fingers crossed he buys into it too!
From: Dave Griffin
To: Elaine Pearce; Richard Winston
Thanks for the information. It’s exactly what I said we should do – stop those we can’t trust accessing the sensitive stuff. I’ve pitched my idea to the board and they’ve approved the investment. It’s a few months since the ICO announcement and, as time is of the essence, make it happen. Nice work team.
www.cyber-ark.com
Cyber-Ark Software is exhibiting at Infosecurity Europe 2010, the infosec event on April 27-29 in its new venue of Earls Court, London. For further information, visit:
