Insider Threat

Controlling who gains access to what on computer networks is vitally important and devilishly hard. Success stories can help.

In February 2001, the FBI arrested one of its own veteran counterintelligence agents, Robert Philip Hanssen, for providing classified information to Russia and the former Soviet Union. Hanssen gave up more than 6,000 pages of documents, most of which he pulled from the FBI's own computers.

Such an audacious breach might seem impossible in this post-Sept. 11 era of system lockdown, but the conditions that permitted it persist.

The FBI continues to have major weaknesses in its critical computer network. It still fails to properly identify and authenticate users or consistently configure network devices and services to prevent unauthorized insider access, the Government Accountability Office reported in April (GAO-07-368).

And the FBI isn't the only agency with vulnerable networks.

GAO also found in September that the Veterans Affairs Department, which reported two high-profile security breaches in 2006, has not fully completed 20 of 22 IT security recommendations that its inspector general made a year ago. VA failed to adequately restrict access to data, networks and facilities or to ensure that only authorized changes and updates to computer programs were made, according to the report (GAO-07-1019).

The same story has played out across government: The absence of proper security processes and technologies allows computer users to wander through agency networks virtually unimpeded. Most inside users have no malicious intent; a few have interests that range from criminal to prurient. So far, few have had espionage in mind. But the inability to control access to sensitive data creates holes for nasty insiders and outsiders to slip through. So much so that Input, a Reston, Va.-based research firm, expects federal agencies will spend nearly $350 million on technology to manage identity and access in 2008.

In the first six months of 2007, 26 percent of all data breaches with the potential for identity theft hit the government sector. It was second only to the retail sector in the number of identities exposed on its systems, security vendor Symantec found.

The cause of such lapses isn't a lack of proper technology. Rather, "agencies have to start looking at programs holistically," says Karen Evans, administrator of e-government and information technology at the Office of Management and Budget. "They should be looking at how they can reduce risk and still allow people to access information and services."

Homeland Security Presidential Directive 12, issued by President Bush in 2004, has raised awareness of the importance of identity management. HSPD 12 requires an identity credential for every federal employee and contractor who logs on to a government network. Though it will control who can log on, once a user is online, the ID does little to regulate access to the drives, files and databases in the network, critics say. It's like having a security guard check visitors' identities at a building entrance, but failing to control where people go once inside.

Government networks are notoriously complex and unknown holes are hidden throughout. The Information Systems Security Line of Business, the e-authentication presidential initiative and the 2002 Federal Information Security Management Act provide hints about how to control access once users are logged into a system, but agencies must determine the best approach.

Some have rolled out their own initiatives to safeguard data. Examining these efforts provides tips and guidance for other agencies. Here's a look at three lessons learned by agencies trying to manage identities to control where users go on a network.

Lesson 1: Consolidate

Access Control

Traditionally, access controls exist at the level of software applications, such as a Web portal developed in Oracle's business software suite, for example. But application-based controls create a fragmented environment that is a nightmare to manage and can open numerous doors for unauthorized users.

"Agencies have a patchwork of processes and technologies that they have put in place over many years to provide access control to their critical data," says David Troy, the identity management solutions practice leader at EDS, an IT systems integrator headquartered in Plano, Texas. Without centralized management, changes in access rights have to be entered individually into each software application and security tool on the system. "The result is very lengthy delays for providing or changing access rights, and an inability to remove those rights in a timely fashion, if at all."

By taking a centralized approach to identity management, Troy says, agencies can automate and accelerate the process. The Housing and Urban Development Department offers an example. Until this year, the department relied on e-mail to inform managers which employees or contractors had access to which networks, files and databases. Because neither workflow procedures nor approval processes were automated, the system was unwieldy and imprecise. "It was difficult to get any real picture of where accesses were because processes were all over the map," says Patrick Howard, HUD's chief information security officer.

The department hired EDS to develop an automated identity management system, now dubbed the Centralized HUD Account Management Process. EDS, relying on Unicenter Service Desk from Islandia, N.Y.-based business software vendor CA, developed a single entry point for managers to submit new accounts, modify existing accounts, and approve or revoke access to HUD business applications. The system allows the department to ensure that only authorized users gain access to sensitive information.

When a new employee or contractor is hired, a user ID must be generated and stored in the active directory record and e-mail account. A manager routes a request for access to a security officer in charge of the specific application that the employee or contractor needs. No steps can be skipped in the routing process, and each task manager's actions can be audited to check who approved what when. The audit allows for strict oversight.

An employee or contractor with an account can get access rights to another area on one of HUD's networks only by logging on to the HUD intranet, entering data about his or her role and explaining why access is needed. If the request is approved, a custom work order is generated. "There has to be a system to help manage the huge number of systems and users and the continual churning in rights and levels of access required. Without that system, you just continuously chase after problems," Howard says.

Lesson 2:

Train, Train, Train

Identity management means more than a smart card standard for entering buildings and networks. It also includes detailed policy and oversight to enhance collaboration among employees and contractors within and among agencies.

The goal is a secure validation process that makes it easy for users to move through a network to quickly access information. But agencies' disparate systems and requirements frequently make negotiating networks arduous and complicated. For example, one agency might define a Top Secret security clearance differently from another, making it difficult to clearly specify in a user's profile where he or she is permitted to go within a network.

"If there are three entities that have to speak to one another, they need to bring the network to the lowest common denominator in terms of access," says Ray Bjorklund, chief knowledge officer at McLean, Va.-based market research firm Federal Sources. "But what if that impacts the success of the collaboration [because] classified information is suddenly not available? Those are the types of issues that are holding up progress. The 'need to know' issue comes into play. How do you deal with policy and the cultural change?"

That's the quandary the Health and Human Services Department faces. HHS must share data not only within the department and with other agencies, but also with private health care organizations. In May 2001, Jared Adair, then deputy chief information officer of the Health Care Financing Administration (now the Centers for Medicare and Medicaid Services), told Congress about the challenges Medicare faced.

"By law, Medicare fee-for-service claims are processed by about 50 private sector insurance companies that each have their own business processes and variations in the use of Medicare claims processing software, which we are responsible for overseeing," she said. "From a technology standpoint, such decentralization requires that we transmit data with contractors to ensure that we bring together up-to-date information on eligibility, enrollment, deductibles, utilization and other potential insurance payers. We also must share eligibility and managed care enrollment data with the approximately 540 managed care plans providing services to Medicare beneficiaries."

To balance the need for access with the conflicting need to secure data, CMS developed custom training tools for managing who can see and use data and ensuring that government personnel and business partners followed proper procedures. Users must participate in computer- based training when initially issued a CMS user ID and then every year when their IDs are certified.

The CMS Information Security Program policy governs operation and safeguarding of information systems; the Business Partners System Security Manual addresses information security for those in the private sector. Ongoing program memos also provide day-to-day operating instructions, policies and procedures to ensure everyone follows proper protocol.

Lesson 3:

Develop in Phases

Methods of identity management are almost infinitely variable. Some require two-factor authentication with a common access card and personal ID number. Others require a biometric iris scan. The frequency with which the system checks digital certificates-the blocks of data used to uniquely identify people over networks-might be standardized across an agency or managed by the group assigned to a specific area on the network or even at the employee level.

IT managers must figure out how to manage such details and be willing to adjust along the way. For example, the Defense Department used to save all revoked employee certificates in a database application against which the network could check new users. As the list grew, so did the demand for bandwidth. With help from contractor BearingPoint, Defense moved to online certificate verification, easing the burden on the system.

"HSPD 12 set a lowest common denominator-a background check tied to a credential or identity," says Gordon Hannah, managing director of the Public Services Security and Identity Management Group at BearingPoint, an IT consultancy based in McLean, Va. "That establishes a baseline level of trust. With the technical capability there, policy becomes the bigger issue. Agencies need to think in terms of a phased [rollout] with solid change management principles. At the end of the day, this is a fairly large undertaking that touches everyone."

Defense issued smart cards over three years, followed by a phased approach that started with digital signatures on e-mail. The digital signatures then could be used as master keys for gaining access to other applications on the network and encrypting data sent over the Internet. Controls on the back end were then able to establish groups with common attributes. Defense will take a similarly gradual approach to adopting HSPD 12 IDs, issuing replacement cards to employees only when the ones they hold expire. That allows Defense to transfer and supplement data maintained on the cards in installments. Iris scans and fingerprints are among the additional identifiers that Defense expects to store on HSPD 12 smart cards.

Similarly, the Navy implemented identity management with single sign-on capability that allows individuals to access multiple computer platforms and applications after being authenticated once. The department first rolled out single sign-on to the Space and Naval Warfare Systems Command, which manages Navy IT systems, to improve secure communication between ships and shore bases. The Navy now is extending single sign-on through the Navy Knowledge Online Web site, which serves more than 480,000 officers and enlisted personnel.

The step-by-step approach was born of caution, says Robert Carey, the Navy's chief information officer. "The larger issue is not getting liquored up about cool technology, but [instead] making sure it adequately meets the need of the stated requirement." ID managers also shouldn't lose sight of the limitations of the current system in their zeal to implant new methods, he says.

Identity management is complicated. Implementation should be gradual and strategic, moving from application to application to determine the sensitivity of the information in each, and person by person to determine what information needs to be made available to whom. In the long run, OMB's Evans says, agencies should weigh what they're trying to accomplish against the level of risk they're willing to manage.