Page 51 - CDM-Cyber-Warnings-March-2014
P. 51
%%$"3(5$ 42$ .% Your igloo from getting “Snowdend” by Clay Calvert, CyberSecurity Director, MetroStar Systems th Yes, the title is spelled right, this article was originally written on the 13 of Feb. 2014 where many in the southeastern U.S. were ‘snowed in’ due to the winter storm. So what is being ‘Snowdened’? It has nothing to do with the weather, but it certainly can be a huge storm. This is a situation where an organization has a large, and usually a public, data leakage caused by someone with legitimate access to the information, as Edward Snowden (hence the name) did to the NSA. This article is not going to be about whether what he did was right or wrong at a national, even international, level; this is going to be about the fact that someone took some documents and exposed them to people outside of the organization’s desired audience. OK, enough about that. What to do about those powerful system administrators? One of the problems with information technology is that the IT personnel who maintain computer systems housing data usually have full access to the intellectual property on those systems. As someone who was a network/server administrator for 15 years starting in the mid-90s, I know personally that it has been historically difficult to separate system access and data access and still enable IT personnel to do their jobs. There are some data storage options that can handle that type of separation, but many legacy systems do not. Though newer systems can help with the separation often the systems are not set up that way for many reasons to include not only adequate skill sets and knowledge, but those two extra unofficial layers of the OSI model, politics and money. Some IT personnel, including upper level managers, don’t want to have capabilities taken away and they don’t want to risk something new breaking legitimate data access for users. And of course, data protection is often perceived to be costly, an unnecessary expense. Edward Snowden used his access and ‘web crawling’ software to download the data he wanted to extricate. As with the vast majority of stored data, the permissions of the files were tied to the server and database’s structure, NOT directly to the documents themselves. Once he had downloaded data, it could then be copied and read on most computers in the world, even smart phones. So how can data access and system access be separated? For document access, both Microsoft and Adobe have Digital Rights Management (DRM) capabilities. Microsoft’s server product is Rights Management Server (RMS). DRM adds permissions, and good encryption, directly to the files so that even when documents get copied to other systems, whether via e-mail, removable disk, etc., then those files still need the proper authorization to be viewed. When trying to open these documents Microsoft Word, Adobe " # % " $ " # ! !
