In a May 2009 survey of more than 400 IT and security professionals conducted by Dark Reading and sister publication InformationWeek, 52 percent of respondents said they are more concerned about the possibility of internal data leaks -- both accidental and malicious -- than they are about external threats.

Stories about internal security breaches are in the news practically every day. CMP has a dedicated site to the topic of insider threat.  The threat is real and we saw it recently when a senior developer at a leading investment bank allegedly stole computer code that automates the firm's high-volume trading on stock and commodities markets. (see Computerworld story).

As noted in an earlier post by my colleague David Miller, Data Loss Prevention (DLP) software can be used to identify and prevent the removal of proprietary information from an enterprise. 

Complementary to a DLP solution, the use of an access control solution enables a firm to go far beyond the capabilities of an operating system to control privileged users like the ex-developer mentioned above.

According to the FBI complaint in the incident with the developer, he first removed the encryption program that he used and then attempted to erase his steps.  Fortunately for the firm, they maintained a backup of the activity log; however, how many times have we seen backups fail? 

Effective access control must allow an organization to proactively define very fine-grained controls for its privileged users.  An example of this would have been to allow the senior developer access to the source code, but to disallow him to either install or remove any programs.  Additionally, this person would be prevented from being able access any activity log, let alone delete them.

The combination of a DLP and access control solution can offer both data and resource protection and proactively secure sensitive information and critical systems.  Are you securing both the data and the resources supporting it?