Would data level controls have stopped Snowden?

By E.K. Koh

The blog What the Snowden affair taught us questioned, “Why should a system administrator be allowed to download and move files? Shouldn’t system privilege and data privilege be separate?”

Ideally “yes”, but in practice, that has not been the case.

Most system administrators have unfettered access to data given their system privilege. This happens because their jobs often require them to be able to move and copy data and documents. However, not all documents are the same and depending on the classification of the document, certain restrictions may be required. For example:

a)    You may choose to allow administrators to only move or copy files with certain security classifications, or
b)    You may choose to allow administrators to move files to certain designated locations, but not onto USB drives, or attempt to FTP or email or print certain classified files, or
c)    You may choose to restrict access or usage privilege based on the location of the administrator; for example, access can be curtailed when the administrator is traveling, or when accessing data from a remote or unapproved device

The above are some simple examples of finer grained data-level controls that would have made it harder for someone like Snowden to copy the classified files. Controls that are finer-grained and data-centric go beyond privileged access management, which typically provides shared ID management, in addition to system and account discovery and system-level access monitoring. Privileged ID management solutions can facilitate privilege ID usage, monitor and detect infractions, but not necessarily prevent them before they occur. Many privileged access management tools also tend to be system-based and coarse-grained (for example, block access to certain applications or system privileges), but often cannot provide data level access or usage control. While sandbox controls like this one may be identity-aware, they may not be granular enough to permit authorized data handling that needs to occur.

Other less specialized solutions, such as data protection or DLP, may also come up short for this use case. DLP often focus on scanning and blocking sensitive data at the network perimeter, failing to address several key problems:

a)    the majority of data loss actually occurs within the corporate network; in the case of Snowden, he simply copied it to his USB drive or perhaps printed hard copies
b)    necessary sharing must occur outside the network; for example the author of a classified document often has legitimate need to email a version to a co-author, but existing solutions would often block the email or sharing based on simple keyword scans

Unfortunately, a solution that blindly blocks all sharing or copying will not be accepted by the organization. Data level controls need to be:

a)    Identity-aware: depending on who the person sharing the file is and who he is sharing the file with, the software must apply the appropriate controls
b)    Content-aware: depending on the security classification of the person (identity-awareness) and the security classification of the content (content-awareness), the control method could be different
c)    Context-aware: depending on contextual elements, such as where the user is, time of day, where the file is being copied or moved to, or which application is being used, the control method could be different

The above requirements call for finer grained attribute-based access control (controls based on attributes of the user, the content he is accessing, and the context in which he is using the content). NIST recently published their Guide to ABAC, an indication of the emerging importance of this technology.

The NIST report lists a second benefit of ABAC beyond fine-grained controls: controls that can be applied to data across systems, applications, and devices across the entire enterprise. A data-centric solution applies controls across the entire data lifecycle (as the data moves from the author’s PC to a file server to an intranet portal such as SharePoint).

Both granularity and coverage are the key components of solution that can stop rogue administrators like Snowden, but also support legitimate collaboration.

7 thoughts on “Would data level controls have stopped Snowden?

  1. tinawhitfield

    Thanks for posting. Glad NIST has published their guide. ABAC or Attribute Based Access Control has the ability to simultaneously be Identity Aware, Content Aware, and Context Aware provides a mechanism for controlling access regardless of who is attempting to access the data as well as when and where the access is attempted.

  2. Dennis Andrie

    Yes, ABAC beats traditional “Blocking-Centric” Access Control approaches hand’s down. Blocking-Centric Access Control places a great deal of emphasis on blocking data from users or blocking users from data. The effectiveness of blocking is limited to situations where data travels well-documented, well-understood routes that can respond to data controls.

    Today, enterprises are “BYOD” with greater global collaboration on highly secure projects involving employees, contractors, vendors, and customers. The data travels random routes that are not under the control of, and possibly not visible to, data owners. One of the key operational differences between ABAC and more traditional approaches to securing data is that ABAC is all about getting the data to the people who need it at the appropriate time in the appropriate place.

  3. Ahuvah Berger-Burcat (@ahoova)

    We at Covertix believe that the best way to prevent unauthorized usage by internal and external users is to attach the IT Policy to the data found within a file (any kind of file). This means that no matter where the file goes, the rules go with it and is automatically transferred to a new file if an authorized user copies/pastes some/all of the content.

  4. ek.koh

    Yes. Attaching the policy to the file is one way; this is similar to what rights management solutions provide. However, data protection needs to extend beyond files and documents as well. What about the structured data that is in your ERP, PLM or collaboration systems? The enterprise app need to enforce the same set of policy to ensure end to end data security.

  5. fromwindyhill

    Well, ABAC would have limited the damage caused by Pvt. Manning, for sure. He was apparently authorized to look at State Department reports for a specific purpose related to his specific area of respoonsibility. (Why he was credentialed for this access is another question.) But lack of ABAC controls allowed him access to much wider info than his assignment required. Thus is ABAC had been in place, even if the credentialing and supervisory process failed, the damage would have been much more limited.
    Snowden is a different case. Apparently he was a “privileged user” with broad admin rights. I assume that may have included the ability to bypass or alter the access-control systems guarding sensitive data. The problem there would appear the failure of major OS vendors to subject administrators to the same controls that apply to other users. That is, the vendors need to eliminate the “super-user” concept. I believe this is feasible: access to perform system functions should not require ability to see “mission” data in the clear.

  6. […] my last blog, Would data-level controls have stopped Snowden, I highlighted the importance to separa... nextlabs.wordpress.com/2014/01/23/can-we-turn-off-snowdens-access-after-the-fact
  7. ek.koh

    I agree with fromwindyhill that privilege users should not have broad rights: system privilege and data privilege should be separate. A privilege user should have system rights but not necessarily data rights. In Snowden’s case, he apparently stole other priviledged identities … and if you could steal any identity you want, then presumably you can eventually steal an identity that would give you the rights to view/copy any sensitive data. Defense in depth is needed to help mitigate such risks. See the blog for more information: http://goo.gl/tygB1z

Leave a Reply

Your email address will not be published. Required fields are marked *