Enterprise Integration Zone is brought to you in partnership with:

Paul Fremantle is CTO at WSO2, where he leads the technical team in the most dynamic Open Source Middleware company. He has been the chair of the WSRX TC at OASIS and he is VP of Apache Synapse at the Apache Software Foundation. Paul has co-authored two books on XML and Web Services and is a regular speaker at conferences. Previously Paul was a Senior Technical Staff Member at IBM where he led development of the IBM Web Services Gateway. In his spare time Paul plays traditional music on the tin whistle. Paul is a DZone MVB and is not an employee of DZone and has posted 15 posts at DZone. You can read more from them at their website. View Full User Profile

Wikileaks and Governance

  • submit to reddit
Whether or not you support the leaking of 250,000 embassy cables to the now infamous Wikileaks website, it certainly makes you think. Whatever business you are in there always emails or data that would be embarrassing or more likely harmful to our business if they were made widely available. So what is the lesson to be learnt from the Cablegate affair?

The blame for the issue seems to be landing on a certain US private Bradley Manning. But I place the blame directly on a lack of Governance and poor IT systems. And the measures that have so far been announced - things like removing CD drives from classified systems - are simply the wrong approach. The real problem is why any one person - whatever level of clearance they had - should have access to all 250,000 cables.

Without going into the details of XACML and policy-based entitlement models, suffice it to say that the right approach is to base access not only on the person, but the reason they have for accessing the data. Using policy-based entitlement, it is possible to have a well-defined Governance model where a person is given access to just the right data at just the right time for just the right purpose, and that this can be managed in a process-driven, auditable and controlled manner.

If you live in a crime area and you leave your door open, you will be burgled. If you don't put in place good security and data governance, then it is you that will be blamed, not just the guy who steals your data.

And if you want the technical low-down on XACML, start here, here and here.
Published at DZone with permission of Paul Fremantle, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Jonathan Fisher replied on Fri, 2010/12/03 - 10:49am

I believe he had access to 250,000 cables because pre-9/11, there was practically no information sharing between departments, let alone agencies. Access to all of that information was deemed necessary to allow threat analysts to do their jobs. Not defending the current system, but just trying to put it into context... It's also hard to believe that someone would betray their country like private Bradley Manning and put countless lives in danger.

The new ideas that have come out of this sound cool however. I heard a report of heuristic pattern based access monitoring that can red flag someone if they begin to access to much data out of context. Everything from credit card companies to HIPAA covered entities could use this sort of access control.

Christian Schli... replied on Fri, 2010/12/03 - 1:25pm

Sorry, but there is no single-technology solution to fix security issues, let it be XACML or whatever. What really would have prevented a hazardous incident like this is the introduction and conduction of an IT Security Management System, such as an implementation of the ISO 27.001 framework. E.g. by applying the German IT-Grundschutz implementation of ISO 27.001, one of the first things the IT Security Officer you would have asked herself is if it's really required that thousands and thousands of people need to have full access to the database, with the obvious answer. This could be fixed by applying some technology conforming to the Need-To-Know-Principle, but this is still only a partial solution. Hence, IT Security Management Systems take a holistic approach to the subject, trying to secure the vital information on various levels and protect against potential threats by an effective mixture of both technical *and* organizational actions.

Nicolas Bousquet replied on Sat, 2010/12/04 - 6:26am

You make me laugh, you two.

You can make something more complicated yes. But you can't make it impossible. I'd say the only option to prevent leaks of 250 000 cable document is to not store them at all in the first place. people know that. When they want to keep a secret, they speak about it being closed door. They ensure nobody is liscening or recording what they say. And as possible,they avoid cellphones, mails etc.

 Whaever the security system, if you have the data, even with zillion of security systems, they is a theoretical way to retrieve them all.

Just imagine the guy had credential for the access to all theses documents. And let say he know the security system, and so how to avoid the alarms. Maybe because he is the administrator. Or have the same rights.

Maybe because he is the one that made the system, or given document of how the system what made.

Let say that each document is enrypted, each one with a different key. And there is only one guy knowing the key in the whole world. They don't know a password that generate a key, or a password that give access to a password wallet. Now they know the 256 or 512 Bytes private key.

And let say you can't decrypt in decent time. Anyway that what you belive.

 Then maybe, you can make some sort of virus that is totaly harmless for everybody but that when the guy decrypt the message on his personnal computer and read it at the screen, this small program will store the decrypted content and latter send it to some server.

 Maybe you thinked your encryption mechanism was good, but there is a flow in the algorythm or the implementation you used. And instead off 800 year to decrypt a message using a typical computer. You only need a month with a typical computer for one message.

 So in 10 year, a typical computer will only need 1 day to decrypt it. And using a farm of computer you have decrypted everything in one month. Simply because you didn't changed the key or the system.

 And you know that infact, if you store the documents, some guy will have legitimate access to hundred, thousand or all of them. Maybe you'll even authorize him to analyse them all using a computer program for research or statistical reason. Maybe some of theses guys have weak password. Maybe the analytical program is not perfectly safe. Maybe some of theses guys are treator.

 Well, just saying there will be always a way you didn't thinked about. There is a flaw in the system. It being that you trust the wrong person. Maybe because of a bug in the system. It can be anything.

Christian Schli... replied on Sat, 2010/12/04 - 4:03pm in response to: Nicolas Bousquet

Of course there is no such thing as 100% security - I never claimed this. My point is that you need a methodology for IT Security Management which includes risk analysis. During risk analysis, you'ld learn what your risks are and how to minimize them. It's obvious that this did not happen in this case because any beginner in the field of IT Security Management would have figured that it's not a good idea to give access to all the data to thousands of users.

Thufir Hawat replied on Sat, 2010/12/11 - 5:39pm

What mechanism would you use to restrict someone from querying the database?  I mean, distinguish legitimate queries from illegitimate.  The police and tax collectors have this problem all the time, you constantly read about how some IRS type looked up details on people, or whatever. However, the problem is that these people, in the course of their job, require that sort of access.

Now, a red flag here to me is that the leaks come from a private.  Presumably he was assigned the wrong access to the database in question -- why would he need access to such cables?

 Otherwise, I think you just have to look at logs, and have red flags, and dedicate people to actually talk to people and ask why they queried so many records, or such and such records.  Or, have them justify their queries before hand.  However, that would be, I expect, really annoying and highly inneficient.

 There's no magic bullet here, aside from restricting people's access based on what they need and having people review logs.  Who polices the police type of quandry here.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.