Using Policy and Compliance Tools to Reduce Insider Threats

By Jeff Vance

(Back to article)

When Tokyo Electron U.S. Holdings, Inc. (TEL U.S.) started to prepare for Japan’s Financial Instruments and Exchange Law (informally known as J-SOX), the company decided that compliance wasn’t enough.


Like similar legislation in the United States, J-SOX mandates that companies establish effective internal controls over financial reporting. A global supplier of semiconductor production equipment, TEL U.S. is a subsidiary of Tokyo Electron of Japan. TEL U.S. had already been complying with SOX, so when J-SOX went into effect on April 1, 2008, TEL U.S. could have tweaked their controls slightly and hoped that their SOX compliance would cover J-SOX as well come audit time.


Instead TEL U.S. looked at it as an opportunity to address a bigger problem than compliance: insider risk. After all, IT dollars are tight. If you can lean on regulations to help fight security risks, everyone wins.


What TEL U.S. wanted to do was to figure out how user access, financial control and intellectual property protection all fit together. Too often, data breach stories in the press are covered as if they happen in a vacuum. The story is that information was breached and consumers were affected. Overlooked is how things like user access, and controls built around user access, contribute to those leaks.


User Access and Société Générale


Consider the Société Générale scandal in France. Trader Jérôme Kerviel, who was previously an IT employee, allegedly circumvented internal IT controls to make a series of unauthorized, fraudulent and speculative transactions that ended up costing the bank $7.2 billion. What is this story here if not a story about flawed access policies?


“Before we instituted an automatic sign-off process for user accounts, it would have been hard to tell whether or not some former employee or contractor still had rights,” said Russ Finney, VP of U.S. information systems operations for TEL U.S.


To address this problem, TEL U.S. established a confidential information management (CIM) program to identify and classify information properly. “Classifications can range from public to internal-only to highly classified,” Finney said.


Once information is classified, business processes are built around each type of classification. This is no small task. Many organizations hope to simply throw technology, such as data-leak prevention solutions, at the problem. However, if data isn’t classified and treated properly, no amount of technology will help.


“It’s a big job,” said Jon Oltsik, senior analyst, information security for the Enterprise Strategy Group. “You have to figure out what kinds of data are moving around the enterprise, how to classify them, and then you have to determine who can use which types and for what purposes.”


Classifying data doesn’t sound all that hard until you consider just what you have to look at—each and every application, including things like email, IM and Web 2.0 applications. There are plenty of reasons, though, to tackle this job. Avoiding the fate of TJX, Hannaford Brothers Grocery and the VA is reason enough.


Oltsik expects to see more companies following TEL U.S.’s lead, and one of the drivers is compliance. Compliance helped drive TEL U.S.’s CIM program. At the same time, the burdens compliance places on IT drove them to institute a related program: compliance automation.


“In the past, we had to rely on yearly audits to know whether we were compliant or not,” Finney said. “It’s really complicated, and it’s hard to see the big picture.”


TEL U.S. turned to SailPoint and their compliance management solution to help. SailPoint Compliance IQ gives organizations visibility into and control over user access, reducing compliance burdens by automating access control processes.

The Biggest Risk Might Surprise You


Part of the control process is to assign user risk scores. A new employee who has not been vetted has a very high risk score. Contractors are high risks, as well. Internal-user risks vary from application to application. An IT guy trying to get access to financial systems, for instance, will have a high risk level, and even if he has a legitimate need for access, the system can be set to grant him only a short window of access.


Other high risk users are ones many organizations overlook. Power users, especially those in executive suites who access most applications, are very high risks, as are high level IT people. “At the very least, the scoring prompts discussions,” Finney said. “You have to ask yourself just how powerful these users should be.”


This raises another problem. You have this high risk user base out there, and there’s only so much you can do to curtail those risks. Now what? Many organizations simply monitor, audit, and try to enforce policies on a case-by-case basis. Unfortunately, this places yet another burden on overworked IT staffs, turning them into traffic cops. Users are always trying to do something they shouldn’t, whether it’s clicking on a potentially dangerous link in an email message, visiting a compromised website, accessing inappropriate content, or pulling data out of applications that they shouldn’t even have access to in the first place.


This problem led the City of Miami Beach to rethink how it enforced end-user policies. “I didn’t want to be put in the position of always policing end users,” said Nelson Martinez, Jr., the city’s systems support manager. “Why not find a way to force the end user to comply with IT policy whether they think they’re complying or not?”


The City of Miami Beach turned to eEye’s integrated threat management solution to do just that. “Now, I can create a policy footprint. IT determines what users shouldn’t be able to do, what websites they can’t visit, what programs they can’t download, and eEye enforces that,” Martinez said.


Users can no longer get around policies via rights, which is a notorious problem with Windows. Even if a user has administrator rights, the policy will still be enforced.


“After all, you can have the best security policies in the world,” Martinez said, “but if end users don’t follow them or if they can get around them, you’re in trouble.”


Jeff Vance is the president of Sandstorm Media, a writing and marketing services company that focuses on emerging technology trends. You can contact him at jeff@sandstormmedia.net or visit www.sandstormmedia.net.