Publications & Resources

January/February 2008
Focus: Compliance

Four Realities of Policy Enforcement

By Sam Fleming 

Today’s complex layered solutions for securing data, applications, networks, and hardware have successfully created a fortress-like shell to limit access to our sensitive data. Unfortunately when it comes to data theft, this entire security paradigm breaks down at the point where access is granted to the trusted user.

Like most institutions your company’s fraud metrics likely illustrate that internal incidents make up just a small percentage of overall fraud losses. Conversely, nearly every published statistic—from industry analyst to federal agency investigating fraudulent activity paints a picture that can best be described as the polar opposite to your experience.

As you reflect on your own situation, you can place your institution in one of three categories:  

  1. You have a very low rate of internal fraud

  2. You mistakenly classify incidences as external, when the root point of origination is actually internal (e.g. mortgage fraud may involve a stolen identity)

  3. You are honestly unable to identify the internal fraud that is occurring

In reality there are inherent weaknesses in four critical areas of today’s data handling policy approaches that should cause us all to suspect we fall into the latter categories above.

1. Policies which are Self Policed are not Effective Controls

Written policies with weak enforcement mechanisms are further negated by the lack of our ability to see activity on the computer desktop. Many controls depend on self-policing, whereby users are responsible for enforcing policy. In this situation there is little or no accountability assigned for what happens with sensitive data once it has been accessed.

2. Application Level Auditing is Blind to Data Theft

Most transaction-centric applications have evolved to incorporate robust fraud detection capabilities. While these applications may identify suspicious transactions, they are limited to transactional activities within the application (such as inappropriate charge backs). From a data theft perspective it is much more interesting to know what is done with the data once it leaves the scope of the trusted application.

3. System Lockdown can Create a False Sense of Security

Many organizations have limited access to services such as CD-writable devices, USB thumb drives or instant messaging. While good ideas, these things alone do little to establish accountability if an employee is moving data inappropriately. Unless you take the impractical approach of eliminating all the vehicles users have at their disposal, they will simply take another approach.

4. Audit Trails Require Indications of Risk

Audit trails are critical to any compliance and risk management strategy, but they do little to actually expose risk. Because they are forensic in nature, they generally require some other indicator of risk at which point they may be leveraged. Further, audit trail review tends to focus on privileged user (system administrators) events such as significant system changes or administrative functions, rather than the common system interactions of end users.

Conclusion

The aspect of security that organizations fail to address is the most creative single point of failure; the end user. We attribute fraud loss blame to external factors, yet we continue to see insider risk activity manifest itself time and time again resulting in damaging public disclosure of data loss and compliance violations by trusted insiders who accidentally or intentionally move data inappropriately.

Responsible organizations must respond with continuous auditing efforts that emphasize  accountability over data handling activities. Our goal should be to implement effective controls that provide mechanical interlocks, or that enforce rules which shed light on risky user activities.  Only then can these activities be dealt with from an incident review perspective.

We must establish a holistic view of what users do with data, regardless of whether the transport method is email, removable media devices, printing, or some other digital vehicle. There is far too much sensitive information flowing through today’s internet and media enabled desktop computers. To remain blind to this activity puts our organizations at far too great a risk to be left to implicit trust alone.

Sam Fleming is chief technology officer for NextSentry Corporation in Spokane , Wash. He can be reached at 509-242-0777 ext. 1025 or sfleming@nextit.com.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.