Lessons to be learned from Statoil data leak
The news reported in the Norwegian publication, Dagbladet, that internal technical documentation from Statoil has been exposed on public servers is alarming, but the reported causes at the root of this breach are common in many organizations.
Little or no consensus on what constitutes sensitive documentation It is impossible for IT to be aware of all the confidential and sensitive information stored in the corporate IT environment. It is of course sensible to document and communicate a framework of what constitutes sensitive information, but it may not always be as obvious as listing particular applications or document authors. Indeed following the recent scandal surrounding an IT contractor in the US leaking vast quantities of data, it is advisable that IT administrators, neither know about or have access to sensitive content.
Business managers who are responsible for content should be given the tools to enable them to secure their team or department’s content automatically as it is created or edited – after all they are in the best position to know what information in the wrong hands could threaten the business – be it industrial espionage, reputational damage or sabotage of production lines.
Giving managers authority and responsibility for managing their business groups in identity management systems is not as perilous as many IT professionals assume. Our experience is that this serves to tighten up security and improve timescales for disabling old accounts when people leave an organization or reassigning appropriate access when people change job functions within the same organization.
Consequences of changes to IT infrastructure are insufficiently well thought through Data that was once stored in live systems probably needs to be just as secure when moved to back up facilities. Many content changes are incremental and historic documents can therefore pose almost the same risk as those that are current. The only way to truly secure them is therefore through some form of content encryption that stays with the document wherever it travels.
Too much trust is being placed in suppliers Organizations cannot assume that their suppliers take the same care over their data as they expect. With supply chains getting more complex and contracts being sub-contracted often multiple times, more proactive oversight of how an organization’s data is communicated, stored and managed beyond an organization’s control is a growing imperative.
Organizations need to ensure that their business contracts contain adequate data protection clauses, and they get their suppliers to provide proof that they practice what they say they do in their policies. This should not be a one off auditing exercise at the beginning of a contract, but periodically revisited. Tools that track and enable the monitoring of how an organization’s sensitive information is being accessed and used can play an important role in providing this information in a timely and accurate fashion, so as not to overburden IT security and compliance teams.
Mistakes are always going to occur that result in the potential disclosure of sensitive content, but it is up to organizations to ensure that the impact of those mistakes is kept to a minimum. Too many organizations are leaving themselves wide open to data breaches because of an over-reliance on their overstretched IT security department rather than sharing the responsibility with business managers, who have a vested interest in keeping content safe.
Original News Source: Sensitive dokumenter om norsk oljebransje lå åpent på nett http://www.dagbladet.no/2013/12/09/nyheter/innenriks/nullctrl/datasikkerhet/informasjonsteknologi/30585906/