As information security professionals, we are always interested in finding stories or anecdotes to help make a point or to further educate people on the importance and need for strong information security.
An item grabbing US headlines recently was the story concerning the inappropriate access to the passport files of the 3 major US presidential candidates, Barack Obama, Hillary Clinton, and John McCain: http://www.cnn.com/2008/POLITICS/03/21/obama.passport/index.html
At first glance, this story did not seem particularly interesting, especially when I realized that a passport file contains basic statistics such as birth date, height, weight and eye color-information that is already widely available for such public figures as these. Other than the applicant's social security number, there is no real significant private data in these files. Clearly, this was purely a case of random snooping by curious employees, much like the similar incident when people accessed the medical files of actor George Clooney's and Britney Spears. http://abcnews.go.com/US/story?id=4498155&page=1
But, as more details around this story emerged this week, my interest in the story evolved from that of a concerned citizen to that of an information security professional. According to State Department spokesman Sean McCormack, Senator Obama's files had been viewed three times by contractors working for the agency starting in January. In Clinton's case, a trainee accessed her files in 2007. McCormack said two of the contractors in the Obama case were "low-level" personnel and the other was in a mid-level position with no management role.
Now, let's reconsider this situation. These were not full-time employees doing this, but contractors and trainees who do not even work for the State Department. And while there is nothing wrong with hiring contractors (we have since learned that the State Department hires contractors to design, build and maintain their systems), this incident raises questions about how well (or not) the State Department is provisioning access to data, application and systems. In this situation, it is not just that it was contractors that accessed the files, but that the contractors themselves were ‘low-level' personnel. Unfortunately, we do not know the specific IT architectural details of the passport system, but the fact that contractors in non-management roles were able to access any and all data for highly public figures suggests that the passport system suffers from a monolithic "access for all" security model. Unfortunately, this is often the case in legacy systems that were designed and deployed decades ago with no elaborate security access control mechanisms. In the initial years of operation, such systems are only accessed by a small defined group of individuals. Thus, auditing and controlling access to information is easy.
But, as such systems become more widespread, the number of users requesting access increases rapidly. And in the case of a high value application like the passport application system, it cannot be taken off-line over an extended period of time so that developers can create a more robust security model for the application. As a result, this "access for all" model becomes the standard, meaning that everyone ends up with the same level of access, regardless of responsibility, title or function.
Situations like this scream out for identity and role management. These types of systems empower organizations to create security and access models specific for individual roles and functions. In the State Department case, a separate role category of ‘contractor' could be created and within the contractor category, certain roles such as trainee, manager etc. could be created with the level of security access commensurate with each role. Such systems deliver two levels of benefits. One, they greatly simplify management and administrative operations because the IT team only needs to manage dozens of roles instead of hundreds of individuals. And secondly, identity management systems can reduce risk by ensuring that users' access to information is limited to their actual business function. Had such systems been in place at the State Department, it is unlikely that these kinds of breaches would have even happened.