Who’s on First? Creating a Data Security Roster to Safeguard Data From Insiders

March 18, 2016
| |
4 min read

Major League Baseball’s spring training will wrap up in a matter of weeks, and baseball stadiums everywhere are getting ready for opening day — you might even be able to smell the peanuts already. But when it comes to your sensitive data security, do you know who’s on first? More importantly, do you know who’s stealing home — and potentially stealing your sensitive data, too?

Unfortunately, most organizations don’t have this much awareness of or control over insiders accessing sensitive data. Sometimes they have no awareness of who has access to sensitive data. This is particularly problematic and risky when it comes to privileged users, who have access to everything important.

What’s even more interesting is that a 2015 IBM X-Force report indicated that 55 percent of all attacks are related to insider threats. Similarly, findings from PwC’s “2015 Information Security Breaches Survey” in the U.K. found that “75 percent of large organizations and 31 percent of small businesses suffered from staff-related security breaches in the last year.” To make matters worse, exactly half of the worst breaches were caused by human error.

Who Represents an Insider Threat?

When it comes to insider threats, there are several types of risks to watch for.

Organizations tend to be more sensitive to disgruntled or malicious employees that represent risks. Those risks can range from causing minor disruptions or embarrassment because of a disgruntled employee to major disruptions and brand damage from sensitive data being leaked or destroyed.

However, there are two other types of insider risks that tend to be more overlooked: the third party with access to sensitive systems or data and the employee who falls victim to schemes. Any of us can end up being that employee under certain circumstances.

If they have access to sensitive data or systems, third parties such as suppliers or outsourced IT teams should be monitored as if they are a standard part of the organization. It’s any of these insiders with privileged access to sensitive data and systems that represent the greatest risk. They need to be evaluated and monitored closely to reduced risks.


Getting Started: Know Your Users and Data

It’s not all gloom and doom. There is a simple way to start taking control and reducing risk. There are just two things you need to do: Know your users and know your data!

When it comes to knowing your users, you need to start answering the following questions:

  1. Who has access to sensitive data?
  2. Who should have access?
  3. What are users doing with data?
  4. What are administrators doing with data?

Likewise, when it comes to knowing your data, begin thinking through and determining the answers to these four questions:

  1. What data is sensitive and where does it live?
  2. Is the right sensitive data being exposed to the right users?
  3. What risk is associated with sensitive data?
  4. Can you control privileged user access to sensitive data?

Identity management and data security technologies exist to make answering and resolving these questions easier. You can get started by just sitting down and considering your top sensitive systems and who has access to them. You’ll start to get a feel for your risks and exposures very quickly.

When you want to take a more controlled look at knowing your users, there are two important things you need to put into action: You must manage access, and you must trust but verify. When managing privileged access, it’s critical never to allow users direct access to sensitive systems or to the master password that will provide access to those systems. By having privileged users log in under a personal user ID and password, which triggers a hidden master password to open access, you are able to learn who is accessing data and take specific action if any risks emerge.

Then, you must trust but verify. Allow privileged users to have the access they need, but record and monitor their sessions. This way, you create a record of their activities, identify what’s gone wrong and take appropriate action.

Essential Capabilities for Data Security

There are a few capabilities that are essential to taking a closer look at your data. The first is automated discovery and classification of sensitive data. Frequently, sensitive data occurs in more systems than you would think; for example, one client IBM worked with thought it had sensitive data in 20 systems, but that number actually ended up being 200 systems. Automated discovery and classification is important because if you don’t know where your sensitive data is, you can’t possibly protect it.

The second essential capability is real-time data activity monitoring combined with entitlement reporting. By leveraging these capabilities, you can see who is accessing sensitive data. When paired with automated analytics and machine learning, real-time data activity monitoring can help you establish a baseline of normal user behavior and then spot unusual behavior or access patterns.

Finally, the third essential capability is to take immediate action to safeguard sensitive data to prevent loss. By leveraging a solution that allows you to preset security policies, that solution can take action for you if unusual behavior does occur. It can block access, alert the security team or quarantine suspicious users until investigation can be completed.

For the greatest protection against insider threats, you should rely on an integrated security landscape where your privileged identity management solution and your data security solution work with the broader security environment for the greatest degree of intelligence and protection.

Learn more: read the X-FORCE THREAT INTELLIGENCE REPORT on Insider Threats

Leslie Wiggins
Senior Product Manager, IBM Security

Leslie Wiggins is a Senior Product Manager for IBM's Data Security portfolio within the IBM Security business unit. She is responsible for IBM Security Guard...
read more