Your data is your business. And if you're not vigilant about your employees' access to that data, you're going to end up out of business. That's the advice of Patricia Titus, current CISO of Unisys and former CISO of the Transportation Security Administration.
Titus has first-hand knowledge of the insider threat in both the public and private sectors. We interviewed Titus about how she is managing this risk at Unisys through a combination of new technology and end user education. Here are excerpts from our conversation.
What trends are you seeing regarding the insider threat?
Probably the biggest problem is the consumerization of IT and the newer technologies which allow mobilization. While it increases efficiency, it also creates opportunity. As you start rolling out mobile applications, you want to get information into the right hands, but perhaps your access control isn't as good as it should be.
Do CISOs and CIOs realize what a big threat insiders are versus outside hackers?
Actually, we do. We do recognize the issues with our employees and data access, and that access management is a big problem. It's a problem in the public sector, and it's a problem in the private sector. Probably we are more focused on it in the private sector because data loss can be so damaging. We are spending resources to protect against the insider threat because of the amount of intellectual property we have and how valuable that information is outside the country. Especially for systems integrators like Unisys, the opportunity for employees to walk out of the building with our intellectual property so they can use it on the next contractor is quite great. There's a lot of right-sizing and a lot of transition in companies. Humans are creatures of habit, and as you try to change organizations to be more efficient, employees are unhappy. They might have access to HR information, and somebody forgot to remove their access. Employees are looking at an opportunity and thinking [they] won't get caught. CISOs and CIOs recognize this threat and are implementing those technologies that will catch the nefarious actors.
What technologies are CISOs deploying to address the insider threat?
One that we're getting ready to deploy is data-loss prevention technologies. The other is making sure that you are really looking at your access controls, to see who has access to what system and do they have the authority. That can be laborious, but it's critical. Lots of companies do an annual re-assessment of access control. We're finding out at Unisys that we're going to have to do it more frequently based on employee turnover. You need to make sure that you've got your applications tied to your Active Directory and make sure that your access is behind firewalls so that when you remove a person's domain, you remove their access to everything.
Which of these technologies is Unisys deploying?
We have integrated access cards, our Stealth product, data-in-motion and data-at-rest capabilities. For data-at-rest, we're moving to a stronger set of authentication, and we're moving toward hard-disk encryption for certain roles in the company. For data-in-motion, that data is encrypted as it is traversing our network. Unisys has created a product called Stealth that creates communities of interest, and data is encrypted from peer to peer. If you've got people working in HR with personally identifiable information, you want them to only communicate with each other and not have somebody who might be listening on the network who might be capturing their information. We've also integrated our common access card to a logical access card so the building card that gets me into the office physically also logically gets me into the remote access system. We're looking at integrated [Security Information and Event Management] technology, which integrates several different security tools into a single, consolidated analytical tool. We have a pilot of data loss prevention solutions. We're analyzing to see if white listing or black listing will work for us.
How do you address log files?
We have a tool that we use that looks for change management: if somebody makes a change in one place and it opens up a hole in another place and suddenly people have access to data. I also have somebody looking at the log files for certain behavior, such as large data transfers.
How do you address the insider threat in your hiring process?
I've just reviewed our hiring process that covers interns and employees. What we do is a corporate background investigation on every new hire.
What about IT staff? Do you find they are more likely to be involved in a security breach?
I wouldn't say they have a higher incidence of doing it, but I would say they have the tools to do it. You have to continue educating them. In the government, some of my folks thought they didn't need to follow the same rules that we were pushing to everyone because they were in security. The reality was they had the ability to crack passwords and eavesdrop on the network. We had those capabilities for good reason. As a CISO, you know that those people are the ones that can do the most damage. If you're letting a person go who has those types of rights, that person is someone you might want to say today is your last day but we'll give you two weeks pay. Most people do not want to do bad things because they want to keep their job. Usually there is a trigger for somebody, some sort of an HR change, and that's when you need to be really cognizant of what they have access to and what you need to do to protect the resources of the company.
What concrete things can CIOs and CISOs do to battle the insider threat?
We always talk about technology solutions, but I personally think that a lot of what you can do solve this problem is to educate. If you as CISO take the time to meet with the people in the trenches and give them the awareness of what to look for, they are the best at being able to find people sitting right next to them who are doing nefarious things. We tell them that if something is unusual, they should pass it off to the authorities in the company so we can look into it.
What data should companies focus on protecting?
You have to look at your business and your mission and figure out what data is critical to you. Look at what data is most valuable to you first, and then look at who has access to it. Then look at your third-party partners. They have access to a lot of data, and you need to know how they are protecting it on their site. Do they do corporate investigations of their employees? Do they have the right security protocols in place to protect the network? Small businesses are under attack, serious attack, and they don't necessarily have the corporate resources of Unisys or other major companies. These small businesses are also very high value targets, and they may not have taken the time to implement [proper security.] I'm going to venture a prediction that we see an upswing in lost data from third-party partners and small businesses.
How frequently do you find rogue insiders?
We find a handful a year. Most of the time it's people who are leaving the company who want to take information with them not recognizing that that information doesn't belong to them. I've been briefing people on situational awareness, current threats and vulnerabilities including the insider threat. Your biggest ally against the insider threat is having everyone pay attention to the guy next to him. The insider threat is going to be more serious as we look at companies losing their intellectual property, and it's going to affect their bottom line. Our CEO is very serious about protecting intellectual property. Companies that don't think the insider threat is real, won't be in business for too many years. Data is the business, and if you start losing the data, you're not going to be in the business for long.
Read more about wide area network in Network World's Wide Area Network section.
More from IDG:
- Latest Security stories from Network World
- CIO - New IT Drilldowns on Virtualization, Mobile, SOA
- Visit Infoworld's Green Tech Center
- Masters of Storage - NetworkWorld.com