Keeping personal information personal
Commentary: Employees' peeks at Obama records underscore the problem of casual browsers misusing their positions.
- By William Jackson
- Dec 29, 2008
There is nothing like telling someone not to do something to make them think about doing it. The Secretary of State’s office in Barack Obama’s home state of Illinois issued a memo warning employees not to access the president-elect’s information without authorization. But earlier this month, it was reported that nine employees in the office have been temporarily suspended for browsing in verboten files beginning the day after the Nov. 4 election.
In the end, the offending employees received only a three-day suspension without pay because it appeared to be a matter of idle curiosity rather than malicious intent, but not until after the Secret Service had gotten involved.
The incident highlights the difficulty of protecting personal information from curious insiders. This was not the first Obama breach. In late November, Verizon employees were found to have browsed Obama’s mobile phone records, and in March, workers and contractors at the U.S. State Department accessed passport records of presidential hopefuls.
Controlling access to sensitive records — and almost any kind of record could be sensitive, depending on its use — is a challenge. There are plenty of products available to protect data and control access, but the first and last line of defense in cases such as these is not technical at all; it is awareness. Most people will not intentionally do something wrong if they know it is wrong. Most of those who are tempted to cut a corner or take an innocent peek can be dissuaded by a reminder and a warning that inappropriate activities are being monitored.
The real challenge comes in setting up the policies. Sensitive information presumably is being maintained for a purpose, which means that somebody must be able to access it at some time. If it never is to be accessed, don’t retain it. But how do you ensure that it is only accessed appropriately?
Access control tools can whitelist and blacklist workers according to their identity, and role-based access controls can refine access by defining privileges according to an individual’s role in an organization. But maintaining control lists is difficult because roles tend to multiply. One person often fills multiple roles in an organization, and often no two people fill the same set of roles. Roles shift as employees and contractors come and go, and it becomes a burden to business managers and IT administrators to keep track of them. As a result, the number of roles in an organization tends to grow so that there are often more roles than people, and people often have excess and outdated privileges. This makes it difficult to tell who should be doing what.
Even if this difficulty is solved, there is the problem of a person with appropriate access privileges unnecessarily sneaking a peek at something out of curiosity.
The key is to back up access controls by monitoring and logging activity in these files, so that inappropriate behavior can be spotted. This is the insider version of intrusion detection, and it requires a degree of sophistication to identify suspicious behavior because there might not be a clear-cut violation of the rules. In the end, it probably requires the judgment of a human looking at a set of suspicious records to decide if something inappropriate occurred.
Awareness and good policy help to eliminate the low-hanging fruit, allowing you to concentrate on those who are determined to do as they please, whether for fun or profit. With a little luck, this harder core will be small enough that you will be able to control it with monitoring and analysis.
William Jackson is a Maryland-based freelance writer.