Blog

The Rogue Admin and Unfettered Data Access

Mandatory audits for data protection and control under ITAR/EAR begin at varying levels from 2020, so it is now more important than ever to thoroughly understand the levels of compliance provided by various vendors. Misleading claims can cause confusion and put your government contracts at risk.

Avatar
by Nick Martin - Sr. Security Engineer
14th November 2019

Today the idea of access control is everywhere. Everyone who has sensitive information wants security controls to limit access to that data. This desire turns to need when the data is not only sensitive but regulated, and is a common sense measure that limits access to data on a need to have basis. Human resources doesn’t need access to your engineers CAD files and your engineers don’t need access to other people's salaries. So why, oh why, do most security solutions still allow application administrators unfettered access to controlled data?

Super User Warning

“We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.”

Let’s get a few caveats out of the way. Super Users in a system will always be necessary; at the very least I hope we never hand that responsibility over to the AI’s or AI@earth:~$ sudo skill -KILL -u humanity will become a real possibility. The problem is that most applications, either by design or in management, allow administrators access to data on the managed systems.

System administrators and computer engineers require high level access to systems in order to do their job. Without their efforts we wouldn’t have the computer systems that allow business processes to run at speeds timed in milliseconds. Control of a system is a necessary power that should be handled by highly vetted and ethical specialists.

Separation of Powers

That said, there is no reason to allow application or system administrators access to the data they host on their system. This is where separation of powers comes into play. Logical separation of data from the systems that host them allows for more granular control and prevents any one person from having it all. Engineering a system that separates powers is more complex, but the benefits far outway the cost when sensitive data is involved. Separation of Powers within a computer system is similar to the separation of powers within the federal government. In the government you have a body that makes rules based on an underlying policy (Congress), a body that enforces those rules (POTUS), and a body that provides oversight to ensure adherence to an underlying policy or directive (SCOTUS). In an information system this idea can be executed in the following way:

Is “Accountability” enough?

The necessity of separation of powers is made apparent by a long and colorful history of abuses of power that continue with, dare I say, increasing frequency today. Take the recent story regarding two Twitter employees being charged with espionage for example. These users didn’t require access to the data to do their jobs, but were able to access personal information of millions of users. Why were they able to access this information when the job didn’t require access to such data?

Lazy security practices that give system administrators unfettered access to sensitive data causes undue harm to users and their interests. The effects of breaches are far more dangerous and long lasting when regulated data is involved and can affect the national interests and security of the United States. Imagine the implications of such a breach with HIPAA data, or even more so with transmissions that contain US Defense Articles protected under ITAR— What a nightmare.. When the stakes are that high the “accountability” security model has limited power as we have seen time and again with insider breaches.

Cocoon Data understands such security challenges and provides solutions to address them. If you create the data then you own that data. You are responsible for it— so why should you trust an application administrator to keep it safe? By design SafeShare for ITAR provides full control of the data to the Data Owner, not the application administrator. The Application Administrator can view audit logs and even disable access to content if necessary, but they have no access to any data within the system. Our compliance focused file sharing technology blinds the administrator to users data to reduce the attack surface so you can share files and collaborate within the regulated space in confidence.

Want to see our ITAR solutions in action?
Request Trial
@includeUnless(request()->routeIs(['register', 'login', 'trial.index']), 'includes.footer')