WikiLeaks: Stronger Access Mgt. NeededWas a Process Failure Preordained?
Not adequately implementing access management - deciding who should gain entry not only to an IT system but to specific data, as well - is a major process failure that led to the WikiLeaks leaks, the unauthorized access and downloading of 250,000 sensitive and classified diplomatic cables and other files.
Simply, if properly configured, an access-governance system might have prevented an Army private from extracting the diplomatic cables. The government alleges that Pfc. Bradley Manning, an Army intelligence analyst, illicitly downloaded the files through a Secret Internet Protocol Router and saved them to a disk, which he provided WikiLeaks. Though Manning had security clearance - his job was to route intelligence reports to his superiors - it's unclear why he would or should have authorization to access and download State Department reports.
Simply, if properly configured, an access governance systems might have prevented an Army private from extracting the diplomatic cables.
Was the process failure preordained? Perhaps. A survey released earlier this year of federal IT security executives and staffers suggests that challenges of securing government information assets are more evident to the rank and file than they are to their superiors. The survey, Security in the Trenches: Comparative Study of IT Practitioners and Executives in the U.S. Federal Government, conducted by the Ponemon Institute for enterprise software vendor CA, reveals that the rank-and-file employees were much more likely than executives to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations, and the technology with the widest difference: identity and access management systems.
Fifty-seven percent of rank-and-file workers said they saw the risk in identity and access management systems versus 41 percent of executives; that's a 16 percentage point difference. On access governance systems, 62 percent of the staffers but only 43 percent of executives saw the risk, a 19 percentage point differential.
Why the gap? "Executives tend to see the big picture, whereas the IT staff-level sees a more focused view," Gilda Carle, a relationship expert who has worked with the Army, Internal Revenue Service and IBM, said in a statement issued with the survey results. "The difference in viewpoints can greatly affect how well an organization achieves its objectives."
The takeaway isn't just the need for government IT security policymakers to be more aware of beefing up access management systems but to become more attentive to what goes on in the trenches where each individual poses a potential threat.