The Rogue Admin and Unfettered Data Access

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.”

Let’s get a few caveats out of the way. Super Users in a system will always be necessary; at the very least I hope we never hand that responsibility over to the AI’s or the end of humanity will become a real possibility. The problem is that most applications, either by design or in management, allow administrators access to data on the managed systems. 

System administrators and computer engineers require high level access to systems in order to do their job. Without their efforts we wouldn’t have the computer systems that allow business processes to run at speeds timed in milliseconds. Control of a system is a necessary power that should be handled by highly vetted and ethical specialists.

Fast and easy collaboration is a necessity that doesn’t magically go away once the data

That said, there is no reason to allow application or system administrators access to the data they host on their system. This is where separation of powers comes into play. Logical separation of data from the systems that host them allows for more granular control and prevents any one person from having it all. Engineering a system that separates powers is more complex, but the benefits far outway the cost when sensitive data is involved. Separation of Powers within a computer system is similar to the separation of powers within the federal government. In the government you have a body that makes rules based on an underlying policy (Congress), a body that enforces those rules (POTUS), and a body that provides oversight to ensure adherence to an underlying policy or directive (SCOTUS). In an information system this idea can be executed in the following way: 

• Data Security Policy Management – Application administrators, with the help of regulators and data owners, create Access Control Policies that can be assigned to data.
• Key Management – Encryption keys being managed out of scope of system and application administrators ensures the integrity of keys and protected assets. The separation of data and keys, in both logical and physical contexts, is critical. 
• Data Ownership – Personnel directly involved with the creation and management of the data dictate its classification in accordance with security directives. Working with security and administrative personnel to ensure control structures are in place so they can classify and control data.
• Security Assurances – System and data access auditing to ensure the integrity of system controls and managed data is the keystone to helping organizations ensure they are compliant.

The necessity of separation of powers is made apparent by a long and colorful history of abuses of power that continue with, dare I say, increasing frequency today. Take the recent story regarding two Twitter employees being charged with espionage for example. These users didn’t require access to the data to do their jobs, but were able to access personal information of millions of users. Why were they able to access this information when the job didn’t require access to such data?

Lazy security practices that give system administrators unfettered access to sensitive data causes undue harm to users and their interests. The effects of breaches are far more dangerous and long lasting when regulated data is involved and can affect the national interests and security of the United States. Imagine the implications of such a breach with HIPAA data, or even more so with transmissions that contain US Defense Articles protected under ITAR— What a nightmare.. When the stakes are that high the “accountability” security model has limited power as we have seen time and again with insider breaches.

Cocoon Data understands such security challenges and provides solutions to address them. If you create the data then you own that data. You are responsible for it— so why should you trust an application administrator to keep it safe? By design Cocoon Data for ITAR provides full control of the data to the Data Owner, not the application administrator. The Application Administrator can view audit logs and even disable access to content if necessary, but they have no access to any data within the system. Our compliance focused file sharing technology blinds the administrator to users data to reduce the attack surface so you can share files and collaborate within the regulated space in confidence.

Read more on ITAR Compliance here.