Inside Out: Preventing Data Breaches From Within Your OrganizationThursday, January 22, 2015
Large data breaches that are caused by the hacking of computer networks by shadowy interest groups or rival foreign governments make big news. These stories are the type that make network administrators wake up in a cold sweat and re-check their firewall rules at odd hours of the night. But big hacks from outside the network are hardly the biggest threat to data security faced by organizations. The biggest threats still come from within.
Especially in smaller organizations, dismissing the potential of vulnerability to insider threats against data security often seems justified because team members tend to know one another quite well and have a high level of trust in their co-workers. Though trust in team members may be generally well-placed, no organization can afford to overlook vulnerabilities to insider threats because of the potential size and severity of a breach perpetrated by a credentialed user. The U.S. National Counterintelligence and Security Center illustrates this argument best by noting that, "Today more information can be carried out the door on removable media in a matter of minutes than the sum total of what was given to our enemies in hard copy throughout U.S. history."
Once an organization has recognized the importance of its vulnerability to insider threats, questions are raised about how to minimize the organization's vulnerability to such threats. You minimize your vulnerability by following the "Defense in Depth" security paradigm, which calls for multiple layers of defensive measures. To be truly effective, however, Defense in Depth must be more that simply piling on layers of security solutions and hoping that one will alert you to a problem. It involves thinking about the security of your organization and its data "inside out." Don't simply focus on your data storage and transmission infrastructure; rather, focus on how data flows both inside and outside of your organization. This type of thinking will enable you to find and minimize data security vulnerabilities more effectively and efficiently. The following solutions are often part of Defense in Depth strategies:
- Role-Based Access Control: People often have more than one "job" within an organization. These jobs often have differing levels of sensitivity. Re-evaluate the roles of personnel within your organization and, when individuals fill multiple roles, assign them separate access credentials. For example, if a doctor also functions as a system administrator, she should not be using her system administration login when seeing patients.
- Common-Access Control Strategies: Resist the urge to weaken access controls for users who access network resources internally. If you have really strong access control schemes for users of a VPN, consider implementing these controls inside your network, as well.
- Vendors as Insiders: A need for multiple support personnel to access your organization's supported information systems often results in vendors asking for a wide breadth of access to your systems, or relaxation of your access control rules. Your need for their (often urgent) help may compel you to grant such access. Discuss access needs with your support providers before a crisis situation occurs. Once access is granted, your vendors also are considered insiders.
Joe Beckman serves as a graduate advisor for security services with Purdue Healthcare Advisors, where he works to implement healthcare industry-related security solutions with an emphasis on risk analysis for providers.
Writer: Joe Beckman, 765-496-1911, firstname.lastname@example.org
Tags: Health IT Security