Recent headlines heralded another unfortunate security breach: an employee of the NSW Treasury in Sydney, Australia, illegally downloaded more than 5,600 sensitive government documents, which were later recovered at his home.
This was labeled a “significant cyber incident” by the NSW government and had been detected by an internal security monitoring tool that detected “movement of a large cache of documents”.
This is a case of “data loss reporting,” not “data loss prevention.”
Why Insider threats continue to be a challenge
Organizations are trusted as stewards of the information that people (the citizens of Australia in this case) provide to process and provide services to them. We trust that it will be properly managed and not be made available to anyone who may use this information maliciously.
Insider-perpetrated incidents (insider threats) like this are a reminder to use ‘least privileged’ principles, which have been evangelized by the leading compliance and privacy groups globally for decades. It advocates a simple best practice: only grant access to information that is necessary for a user to complete their job or role.
This incident is one in a long line of organizations compromised from within. So why are insider threats so hard to prevent? It’s important to recognize that access models have not changed much in the past 20 years, and as a result, losses from insider threats continue to mount.
The dangers of over-provisioned access in role-based systems
As the investigation continues into this incident, it appears to mirror many others: insiders take advantage of role-based systems that over-provision access to data because it is hard to understand exactly what permissions are being granted to a person.
If you’ve ever administered a role-based system, you know you are aligning a role assigned to a person to various (most of the time vast) stores of data, which provide them with access to everything, regardless of the sensitivity of that data.
How attribute-based access controls (ABAC) enforce least privileged principles
The “least privilege” principle is better supported by more modern methods of granting access, such as attribute-based access controls (ABAC). An ABAC model compares the attributes a person holds (department, clearance, project or program attributes, etc.) and environmental attributes (device, location, time of day, etc.) with the attributes of the content (sensitivity, metadata, etc.) in the repository to make access decisions.
Based on the information we know about this incident, the insider was a “grade” employee, not a senior executive service member; however, they stole information reserved for that higher-level employee.
A very simple ABAC policy aligns attributes like “senior executive” to the data that should only be seen by a senior executive, regardless of the access rights to the container in which it is stored. Anyone without the correct attributes will not be able to see or access the data.
Modernizing your approach to access control
Adding an ABAC capability to your organization allows it to function at the speed necessary in today’s technology-driven world, while navigating away from these overprivileged situations we continue to see in the news, as traditional access controls fail to prevent these compromises from happening.
The complete archTIS portfolio of solutions is built on an ABAC foundation to ensure that only the right people have access to the right information at the right time. Contact us to start a conversation.
