Spy agencies look for tools to automate enforcement of two-man-rule for access
- By William Jackson
- Jul 15, 2013
The intelligence community is tapping cloud security company HyTrust to help automate enforcement of the two-man rule for administrative access to sensitive data in the wake of recent revelations about domestic spying.
The rule requires two people with separate sets of credentials for access to sensitive resources, an idea that is gaining attention since the disclosure of intelligence records by National Security Agency contractor Edward Snowden.
The move comes in the form of a strategic investment and technology development agreement with In-Q-Tel, the intell community’s investment firm that funds commercialization of technology in demand by agencies. The deal is intended to speed deployment of HyTrust products by agencies to automate management controls in virtual environments, and to fund enhancements to the technology, said HyTrust president Eric Chiu.
Although the enhancements will be commercially available and are expected to appear in products within the next six to 12 months, Chiu would not say what they are. He described them as refinements to existing capabilities rather than development of new technology.
“Intelligence needs for the most part match the commercial sector’s needs,” he said. “But there are some additional needs.”
The deal was put together in the past few weeks, he said. “You can infer from recent news that certain things are very important to the intelligence community.”
“Our partnership with HyTrust will accelerate and enhance the company’s technology relating to the control, management and compliance of virtual datacenter environments,” Robert Ames, who heads In-Q-Tel’s information and communications technologies practice, said in a statement.
The National Security Agency is defending itself from domestic and international criticism since the release last month by former NSA contactor Edward Snowden of some details of wholesale collection from U.S. companies of information about the communications of U.S. and foreign citizens. NSA Director Gen. Keith Alexander told the House Select Permanent Intelligence Committee on June 18 that NSA now has at least 1,000 systems administrators, a growing number of them contractors, like Snowden. To better control and track their actions, Alexander said the agency is implementing a two-man-rule, requiring secondary authorization for some activities so that no one person has unfettered access to the keys to the kingdom.
Chiu called the Snowden case a “poster-child example” of the insider risk posed by privileged access. He said those risks are magnified in the cloud and other virtual environments as multiple systems are collapsed into a single infrastructure that is accessed remotely.
“The intell community is adopting virtualization and the cloud rapidly,” he said. This requires fine-grained access controls, and additional requirements such as secondary authorization must be as transparent as possible. “It has to be automated and it can’t be cumbersome, otherwise people won’t want to use it.” And if people don’t like it, they will find ways around it.
HyTrust appliances act as a gateway for all management activity, authenticating privileged users, enforcing least-privilege and role-based access policies and implementing workflow for policies such as the two-man rule. If secondary authorization is needed for an action the request is automatically passed to the proper person for approval, and only then is permission given to the administrator with a window of time for the task. After that window closes new permission is required.
Another element in defending against insider threats is monitoring and logging administrator activities, a task complicated by the fact that administrators usually have access to and can edit security logs. Chiu said HyTrust appliances’ housing log data are segregated so that administrators do not have access to them, and they can be encrypted for additional protection against tampering.
Virtualization product vendor VMware is investing along with In-Q-Tel in the project. The amount of the investments has not been released, although Chiu described it as “significant.”
William Jackson is freelance writer and the author of the CyberEye blog.