WikiLeaks is an international, non-profit organization that publicly publishes private, secret, and classified government and corporate information, including:
Based on media reports, the first two leaks may have originated with a single person working inside the organization. Whether that person was a disgruntled employee, a troubled conscience, or just a thrill seeker doesn't matter. What does matter is that anyone in a position to obtain classified information has been interviewed, reviewed and (at least in government) investigated and assigned a security clearance level that allows them access to internal systems and the information they hold.
While IT systems disconnected or walled off from the internet tend to be seen as “safer” than directly connected systems, internal threats still remain. In fact, systems built around the premise of strong walls and impenetrable doors have the most to fear, as they often lack strong internal controls, relying on personnel to “do the right thing.”
IT systems are complex. And the overhead that goes into managing those systems is most often seen by corporate and government leaders as a cost center. One of the most complex and costly systems IT can put in place is their identity and access management (IAM) system, which process coarse-grained rules around who has access to what kinds of programs/information in the organization.
But to lock down classified information, large organizations require more than just the few traditional broad clearance bands IAM manageably makes possible. What’s required is the ability to assign multiple qualifying attributes to users, resources, environments, etc., enabling a much more fine-grained approach to access management. Once in place, authorizations can be more closely tracked and monitored, and alerts set up to flag unusual behavior.
Layer 7’s family of XML Gateways is designed to help organizations address the kinds of security and visibility issues that characterize internal threats. Using Layer 7, organizations can implement a “trust but verify” process to counter WikiLeaks type problems before they occur.
Data Exfiltration – the primary system fault that led to the WikiLeaks affair was the ability for a single user to discover, collect, and exfiltrate a massive amount of information, much of which was not needed to support their day to day activities. With Layer 7 in place, policies can be enforced that limit the number of times a single user can retrieve a single application/service/data, or multiple types, which when aggregated together could be interpreted as having malicious intent. If a user goes beyond their administratively imposed limit, Layer 7 can either allow the operation while notifying administrative or security personnel of the potential issue, or can disallow access altogether while awaiting remediation.
Access Control – the heart of any information system is its ability to grant access to those that have a "need to know" the information contained within. In most organizations, information systems rely on the users’ level of clearance; the network they are using; or coarse-grained information like the branch of service they below to in order to grant or deny access to an information sharing system in its entirety. Layer 7 policy enforcement and decision capabilities allow for user authorization through either Attribute Based Access Control (ABAC) or Policy Based Access Control (PBAC). These types of authorizations correlate attributes about the user, resource, environment, etc. in policy, providing a much more fine-grained method to allow or deny access.
Monitoring, Visibility & Tracking – even when controls are in place that help mitigate the “need to know” issue, there will always be a risk of authorized users collecting information within the norms of their current job and role. However, monitoring usage of individual information services, as well as enterprise-wide usage can flag unusual patterns of information access. Layer 7 allows for federated monitoring of data access, giving visibility into shared resources. This gives organizations the ability to not only track authentication attempts and valid authorizations across the extended enterprise, but also analyze distributed data retrieval trends on a per user basis.