Saturday, December 02, 2006

This is an additional post regarding IP and least privilege access

Intellectual Property, IP, loss, what is the real threat?

There are four major risk areas, the loss of IP through attrition (former employees), and theft from foreign and domestic competitors, contractors/vendors. Attrition is outside of the realm of most of IT security controls, but some are clearly beneficial to this type of loss. These will be discussed in more detail below. Then there is outright theft, whether from internal theft or external theft. These two situations will also be discussed below. It is thought that 70% or more of a company’s market value is in its intellectual property. Any significant loss to IP is a significant loss to the market value of your company. Unfortunately, most companies have not done their homework in quantifying the valuation of their IP, and therefore do not have risk quantified. Using valuation and risk models based on likelyhood of loss must be done to determine the best controls.

Loss through Attrition
IT Security controls that can minimize the loss of IP through attrition. Users should only have access to what they need to accomplish their work. Establishing and developing a culture and technical controls that enables the Least Privilege Access method, LPA, is the single most effective way to minimize this risk. If a user does not have access to sensitive information they do not need, they cannot take it with them when they leave the organization.

Theft
External threats against theft are weak security perimeters, inadequate controls on content submission to externally facing websites. See warning from UK officials here.

Insider threats are much harder to deal with, and is occuring more frequently than what has been the case in the past. This has a direct correlation to the hardening of the perimeter surrounding companies IT infrastructure and the change from hacking being a past time for technically savvy individuals to individuals with a financial motiv. This threat should be mitigated for by implementing better human resource programs and applying the principal of least privilege access

Technical Controls and Least Privilege Access
LPA on the other hand is difficult to use in practice. It is really hard to keep up on what users need, and if too restrictive, collaboration and productivity suffers. Roles based access can alleviate some of these problems, and new advances in user management makes it easier. For example Microsoft’s Active Directory ™allows for easier organization of users in their respective roles. However, it does not get you the last mile towards true LPA. In the end, users who create sensitive information is the one’s who have to decide on what needs to be published, and to whom. In today’s environments, this information lives in structured repositories such as data bases and management systesm, and as unstructured data such as word documents, spreadsheets, presentations etc. Unstructured information is the hardest to place controls around, but you can use classification schemes to mitigate the risk. Unfortunately, Least Privilege Access is too complex of a solution to be discussed within a paragraph, so I will discuss LPA separately in a later article.

No comments: