Archive for September, 2009|Monthly archive page

Warning: Do Not Access (Pretty Please?)

I just read an article over at Dark Reading that made me laugh, and almost cry at the same time. An employee at the Defense Department was just arrested for accessing unauthorized data. And how did the he gain access? By using a password that he received in order to access another classified message that he had authorized access to.  Despite automated security warnings (that the employee ignored, and didn’t even bother to read), the employee was able to access the classified data on two separate occasions.

So what’s wrong with this picture? Two words: Least Privilege. Why does a privileged identity have unrestricted access? The password that the employee was provisioned with should only have allowed him access to data that he had legitimate access to and nothing else. On top of that, there should be some type of attestation to verify the access rights of these privileged accounts.

It’s laughable to think that warning messages was the only thing that stood between the employee and the classified data. You could make the argument that he shouldn’t have been snooping into the restricted area in the first place, but that would just plain be naïve. Let’s face it; access policies are put in place to protect data owners from this sort of thing, and to protect employees from themselves! Looks like the Defense Department needs to review their access management a bit.