It’s likely Ed Snowden couldn’t have dreamed of a better reaction to his work. Since leaking the extent of intelligence gathered by the US government through the NSA, his story has dominated headlines on both sides of the Atlantic, placing him as both a cult figure and wanted fugitive simultaneously.
But the cult of Ed Snowden is not what really requires attention here. Regardless of whether it’s in the ‘public interest’ or not, no top-secret applications should be able to be manipulated by any one man. With the right measures in place, the likes of Ed Snowden wouldn’t have a story to tell – and by extension, bodies like PRISM would hold less of your personal data too.
Initial reactions to this story were to debate whether Snowden really had the power he claimed to have. Could he really have “shut down” the NSA? Logic states this is highly unlikely. It’s a big leap from stealing classified PowerPoint slides to wire-tapping phones and accessing dossiers for spies and other agency personnel. And surely, the NSA would have segmented the access it gave to any data deemed sensitive or in any way risky.
If it did not, then it’s a significant oversight that should serve as a stark warning to other organisations sitting on supposed ‘secret’ material.
The great unknown
Many people have access to confidential documents within their own company, but they shouldn’t be allowed to change how the network runs. In the case of Ed Snowden, he may have had access to sensitive PowerPoint slides, but may not necessarily have had control of all the other systems needed to bring an organisation to its knees.
This remains the great unknown of this case; we don’t know how broad the leak really was. Determining that will depend on how the network and the systems within the NSA are segmented and monitored. It is highly probable, however, that NSA employers will be able to track all of Snowden’s access to the network and its systems.
Monitoring administrators is an important part of operational security, and with the right engine in place managers should be able to view individual applications accessed specifically by Ed Snowden. I would be very surprised if his employers did not have full records on this access.
From a national security point of view, the post-mortem of Snowden’s leak is where attention should be most keenly focused, to determine the veracity of his statements. But if the claims turn out to be true, it does not automatically mean that other organisations are prone to the same breaches.
Generally speaking, the more powerful an application is, the more tightly it is segmented, monitored, and controlled. The same is true of security administrators themselves. The more power they are provided, the more their duties need to be segmented, monitored, and controlled.
In the case of Ed Snowden, we have a very privileged administrator accessing very powerful applications – common practice would be to watch him like a hawk. Ultimately the access to sensitive information comes down to company mindset. In many cases, companies simply think of security as blocking attacks as opposed to the process of securing their information.
Blocking the attack is obviously a critical part of the equation, but it has to be tied into the context of the data itself, the applications that serve that data, and the people that use those applications. The NSA leak is a perfect example of what can happen when very powerful applications and powerful users are not controlled sufficiently.
A modern solution to a modern problem
With vast amounts of privileged and sensitive data stored on company networks and pervasive threat vectors that want to steal that data, businesses require a segmented approach to security that monitors all users, content and applications that are present on the network. It’s an approach some companies have been reluctant to grasp but, given the revelations of the past few weeks, the consequences of not taking appropriate measures should be far more of a concern.