WikiLeaks: Is Cloud the Solution?Analysts Weigh in on Securing 'The Impossible'
An access governance system might have prevented Army Pfc. Bradley Manning from allegedly downloading cables and sending the classified information to WikiLeaks. Though Manning had security clearance -- his job was to route intelligence reports to superiors -- he did not necessarily have authorization to access and download State Department reports.
Measures could have been taken to guard against the breach Manning has been accused of, but could the same measures be realistically deployed in other environments -- such as a bank, a hospital or a corporation? Not really, says Andy Greenawalt, the CEO and founder of Continuity Control, a New Haven, Conn.-based provider of Web-based software. "The core challenge here, with Microsoft Word and Excel or whatever the data formats are, when trying to secure these things, you're really trying to do the impossible," he says. "Every time you send any of these files, a copy is made."
In a large organization such as Bank of America ($2.36 trillion in assets), which WikiLeaks founder Julian Assange has suggested could be the next WikiLeaks leak target, thousands of internal Microsoft documents are saved and sent via e-mail a hundreds times over during the course of a few days, Greenawalt says. "Every time a file is sent, it's replicated thousands and thousands of times. Companies can try to protect and encrypt that information; but the reality is that something is going to go wrong, because there is always a copy somewhere," he says.mobility. Files are transmitted and received more now than ever before via handheld mobile devices, which makes implementing security safeguards and controls even more challenging. Thus, the future of secure file access and transmission can only exist in the cloud, Greenawalt argues. Computing in the cloud puts everything in one place, and access to information can be limited by privileges granted only to select employees. The cloud eliminates the need to store information on a hard drive or to a thumb drive, which also limits chances for leaks, he says.
"The need for human access proves the PC era is broken. The sooner we move on, the more secure we will all be," Greenawalt says. "By putting traffic in the cloud, you make the security and access equation fundamentally more solvable. It helps to keep you from missing a gap."
He says banks are buying into that cloud concept. In fact, many are even using Google Documents for shared access, rather than relying on traditional sent-and-received correspondence that can easily be traced and intercepted.Julie McNelley, a senior fraud analyst at Aite Group LLC. "It's the little things that lead to most internal compromises, like walking away from your desk and not locking your screen," she says. "A lot of that kind of thing slips through the cracks."
But locking the screen or PC won't help in all cases, as Greenawalt points out. "It would be very easy for an IT guy to swap out a hard-drive and just take it," he says. "It's not difficult to overcome the security practices that are in place."
Internal fraud is still one of the biggest issues in financial services, McNelley says, especially since the embezzlement of funds and the compromise of consumer financial information is so tempting. Financial institutions have put controls in place to protect information that might compromise customer accounts and ultimately lead to identity theft. But when it comes to securing their own internal information, protection has not been a priority.
Privacy expert and attorney Kirk Nahra says most chief security information officers focus on outside threats -- cyber attacks, socially engineered breaches like phishing and vishing, and the interception of transaction data. As the WikiLeaks State Department leak proves, "Internal threats are just as significant," Nahra says. "What is coming in here is corporate privacy. Twenty years ago we had a focus on trade secrets and the need for privacy in the business environment; today, we have a focus on personal privacy."
More Corporate Privacy?Nahra says corporations and the courts have forgotten about risks businesses face when it comes to their own information vulnerabilities. "There are legal reasons why an employee cannot leak information about an individual, but we have a lot of sympathy for whistleblowers." Besides, as WikiLeaks proves, once the information is out there, there's little an entity can do to combat the public relations backlash.
"What this shows is that we have all kinds of controls, but they don't work very well," Nahra says. Controls can be improved. While it might not be easy to limit the information employees must access, it is relatively easy to monitor that access -- keeping an eye on what information and files are being viewed, by whom and how often, Nahra says.
"I think it's all a question of how much infrastructure you're going to build," he says. "Are they real-time controls, or are these controls you have in place to detect a breach after something happens? There is a real difference there."