Why every enterprise faces an OPM-style security breach
- Summary:
- Relying on firewalls and the vigilance of staff is no way to prevent an OPM-style security breach in today's digitally connected world
This is an astonishing tale of abject security processes at the heart of government. But the lessons are equally applicable to business organizations, where last year's infamous Sony Pictures hack demonstrates the fallibility of traditional enterprise security regimes. Another important takeaway: IT security has to be the concern of every senior executive in an organization, especially the CHRO, and not just the CIO.
Thanks to last week's revelations, we now know that the OPM case involves the theft of personal data of 21.5 million people who had their background checked because they, or someone they knew, were considering a government job or role. This in addition to the previously known exposure of data on 4.2 million federal employees. ZDNet's Steven Vaughan-Nichols cites the OPM revelation that this new set of compromised data included:
... identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.
Some records [he adds] included mental health and financial history findings from security background investigators and fingerprints.
The attack vector will be familiar to anyone who has studied similar security breaches at other large organizations, including Edward Snowden's extraction of NSA data. It wasn't because the OPM put its data in the cloud, or because of some fiendishly sophisticated hack by foreign intelligence agencies (though naturally the finger of blame has been pointed at the Chinese). No, it was lax controls on contractor accreditation, as a Homeland Security official revealed last week:
Mr Ozment said the hacker in both cases gained access to the computer systems "via a compromised credential of a contractor."
It probably makes the government feel better to imply that this was the work of crack teams working for the Chinese intelligence services but in truth it could just as easily have been a smalltime gang of online identity thieves working out of a bedroom anywhere in the world. Now that the data is out there, it's surely going to fall into the hands of several foreign intelligence agencies but it should never have been left so exposed in the first place.
How Google does security
The OPM (like the NSA before it) fell into a self-made trap that I like to call "line of sight governance." Essentially, this is the belief that if I can look across the room or walk down a corridor to where someone is working then I'm in control of the security surrounding them. Back in the days before the Internet and WorldWide Web came into existence, that may have had some merit. Not any more.
Today, everyone is connected wherever they are and via multiple devices. The old-fashioned, on-premise method of enforcing security by assuming that certain areas are safe from intrusion is a delusion. You cannot firewall the perimeter or trust those inside it because in a digitally connected world all perimeters are porous.
If you want to take a modern approach to security then take a leaf out of Google's book. As the Wall Street Journal's Rachael King reported in May, Google's new security model moves trust from the network level to the device level:
The Internet giant is flipping common corporate security practice on its head, shifting away from the idea of a trusted internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials.
The new model — called the BeyondCorp initiative — assumes that the internal network is as dangerous as the Internet. Access depends on the employee's device and user credentials. Using authentication, authorization and encryption, the model grants employees fine-grained access to different enterprise resources.
Successfully operating this kind of model requires an actively managed single sign-on system that's connected to the enterprise HR system, ensuring that access rights and identities are kept up to date with the employee's current role and employment status. Obviously such systems have to be sophisticated enough to manage contingent workers as well as full-time employees, otherwise the same loopholes will open up as at the OPM and NSA.
My take
The OPM's discomfort is well deserved but no one should be smirking at it, as almost every enterprise is making exactly the same lazy and self-deluded assumptions about the rigors of its own security regime.
It requires some investment to move to the kind of digitally connected security that Google has adopted, but there's no excuse for holding back. Google has even published a paper (PDF) describing how to move beyond the privileged intranet model to an Internet-native security model.
If CIOs and chief information security officers (CISOs) drag their feet on upgrading security for a digitally connected world, then COOs, CHROs and CEOs should be leaping up and down demanding action. Any enterprise that is still trusting the integrity of internal networks and the vigilance of staff to protect unencrypted content stored in its computer systems is tolerating an unacceptable threat to confidential data in its care and thus to its reputation and even its survival.
Image credit: Eye looking through keyhole © forkART – Fotolia.com.