Yes, the title is spelled right, though if you are reading this on the 13th of Feb. 2014 and in the southeast then you are also probably ‘snowed in’ due to the winter storm!
So what is being ‘Snowdened’? It has nothing to do with the weather, but it certainly can be a huge storm. This is a situation where an organization has a large, and usually a public, data leakage caused by someone with legitimate access to the information, as Edward Snowden (hence the name) did to the NSA. This article is not going to be about whether what he did was right or wrong at a national, even international, level; this is going to be about the fact that someone took some documents and exposed them to people outside of the organization’s desired audience. OK, enough about that.
What to do about those powerful system administrators?
One of the problems with information technology is that the IT personnel who maintain the computer systems housing the data usually have full access to the intellectual property on those systems. As someone who was a network/server administrator for 15 years starting in the mid-90s, I know personally that it has been historically difficult to separate system access and data access and still enable IT personnel to do their jobs. There are some data storage options that can handle that type of separation, but many legacy systems don’t and though newer systems can help with the separation often the systems are not set up that way for many reasons to include not only adequate skill sets and knowledge, but those two extra unofficial layers of the OSI model, politics and money. Some IT personnel, including upper level managers, don’t want to have capabilities taken away and they don’t want to risk something new breaking legitimate data access for users. And of course, data protection is often perceived to be costly.
Edward Snowden used his access and ‘web crawling’ software to download the data he wanted to extricate. The permissions of the files were tied to the storage system’s structure, NOT directly to the documents themselves. Once he had pulled out the data, it could then be copied and read on most computers in the world, even smart phones.
So how can data access and system access be separated?
For document access, both Microsoft and Adobe have Digital Rights Management capabilities. DRM adds permissions, and good encryption, directly to the files so that even when documents get copied to other systems, whether it be via e-mail, removable disk, etc., then those files still need the proper authorization to be viewed. When trying to open the documents Microsoft Word, Adobe Acrobat Reader, etc., will see that the files are protected with DRM. The DRM metadata will also tell those applications which server to check for authorization. If the server is not reachable then the documents will not be opened, as would definitely have been the cases with Edward Snowden, and also Spc. Bradley Manning, since those files were on a classified network unreachable from the Internet. At least we hope it isn’t reachable that way.
Not only can viewing the documents electronically be restricted but also printing them out and taking screenshots. Yes, someone could use a camera to take a picture of the screen but facilities such as those where Edward Snowden worked have policies against bringing cameras into the work area. Even if cameras are allowed sitting in from of one’s computer taking pictures for hours is not likely to happen.
Another feature is that files can be set to expire after a certain date similar to what you may remember from the old show (and movies starring Tom Cruise) Mission Impossible, but without the data going up in a puff of smoke. Still without the pyrotechnics, an effective data leakage deterrent is to set the files so that they are not viewable by anyone after a certain period.
Separation of duties
Unfortunately, it is still possible for system administrators to view DRM protected documents in some cases because the certificates controlling access to the files are also administered by the same administrators. Many years ago I worked on a project and the requirements were that only two or three high ranking people would be able to view certain documents. Ironically, the mechanism and procedures selected to, theoretically, meet these requirements gave several system administrators and clerks complete access to these files. Complete data leakage would still have been possible in this scenario.
This brings us to one of the basic security principles: separation of duties. The DRM should be managed by someone, or a team, that does not have system administrator access. In other words, the keepers of the keys shouldn’t also have the ability to export large amounts of the protected information. There is a much, much smaller chance of exfiltration if multiple staff members have to work together to extract data.
Cost of Digital Rights Management
As previously mentioned, one of the deterrents to DRM is the perceived cost. In the case of Microsoft’s DRM many organizations already own the necessary licensing so there is not a significant expense to getting started. However, having the expertise to architect, and properly implement DRM is not a skillset many organizations already have. This brings up the question of how much is your data worth, and how much impact would it have if your information was leaked to competitors and the rest of the world? Microsoft’s DRM solution works will with SharePoint though both systems can work independently.
Digital Rights Management is a way to protect electronic documents even if they are copied from the system where they are normally stored. Massive data leaks can be prevented using a proper implementation of DRM with good security principles to include a separation of duties. Deploying a DRM solution could save millions, even billions, in preventing data loss and embarrassment. What is your data worth?
I hope you are not snowed in. I also hope that you don’t get ‘Snowdened’. Enjoy the weather and avoid the storm.