The information security concept of “Privileged Access” is designed to ensure an individual has access to the information they need and is excluded from that which isn’t needed. Most entities have a process by which an employee, manager or group may petition for access to information which they need to complete their assigned tasks/mission.
Snowden — did he or didn’t he?
Then there is the path chosen by Edward Snowden: induce your colleagues to provide you access to privileged and sensitive information by providing to you their credentials. Credentials which open up access to different information than yours. In June 2013, it was alleged Snowden acquired his million-plus document stash by these means. He has repeatedly denied he used anyone’s credentials and acquired all of the information under the access authorized to him by the National Security Agency (NSA) as a classified contractor of Booz Allen Hamilton (BHA). The NSA has been investigating Snowden’s filching of secret and top secret documents and has, according to a memo to the House Judiciary Committee which was leaked to the press, coworkers did provide their information access credentials to Snowden.
The memo points out, with specificity, that an NSA employee has admitted to the NSA that he provided his PKI (Public Key Infrastructure) credential to Snowden on 18 June 2013. The NSA revoked this employee’s security clearance on Nov. 20, 2013 and the employee resigned on Jan.10, 2014. The memo notes that in addition to the NSA employee, that an active duty member of the US military (not further identified) and a contract employee (not further identified) also provided their access credentials to Snowden. While the NSA removed their access to NSA spaces and networks by revoking their privileges, adjudication does not fall within the NSA’s remit.
Identity management is not new
Is the concept of identity management new? Absolutely not, access controls and data loss prevention are industry foundational elements. And Snowden’s employer, BHA, is well schooled in the concept of privileged access, indeed, they look for individuals with expertise in the implementation of identity management systems within a classified engagement.
What we have here with the Snowden imbroglio is a bit of social engineering. Snowden apparently gave his colleagues a believable reason why his access was insufficient to complete his duties or how he would be able to help the colleagues complete their duties if only they would share their credentials. And once again, the frailty of the human nature to be helpful trumped the multiple layers of security and security awareness training.
What can we do?
The only positive to take from the episode is that it reinforces the need to adhere to security processes, even when your instinct says to do otherwise. Instead of saying yes, here’s my key, or no I can’t do that – take the path to “Let’s get your access upgraded by following these procedures, or requesting a waiver – fully documented.”
