Can we turn off Snowden’s access after the fact?

By E.K. Koh

In my last blog, Would data-level controls have stopped Snowden, I highlighted the importance to separate system rights from data rights. But what if Snowden was using a login credential that in fact grants him rights to sensitive data? Accounts vary, but in the blog What the Snowden affair taught us , Anand alluded to the fact that Snowden gained access by stealing credentials of users with higher privilege. Unfortunately, even a system with fine grained data entitlement capabilities will not be able to stop Snowden, under his new identity, from copying sensitive data.

This is where defense in depth , an information assurance concept, comes in. Ironically it was a technique conceived by the NSA.

Obviously, defense in depth is only as good as the security layers you put in place. Clearly, a layer that enforces data entitlements can prevent malicious admins from copying sensitive data, but a layer of strong authentication would make it harder for malicious insiders to steal credentials with higher privilege.

And, as an additional security layer, “Wouldn’t it be nice if we could turn off access to the files that Snowden downloaded after the fact?” We could prevent the stolen information from being abused or shared once violations are uncovered.

In fact, this capability does exist. It is called Rights Management. Except for it to work, it needs to be policy-based (ie rights protection needs to be automatically applied based on policy). For example, the policy might dictate that files classified as “Secret” must be rights protected when copied outside the server.  If this kind of policy enforcement capability were in place, then the files Snowden copied would automatically be rights protected once they are taken out of the server. Policy-driven rights protection is critical because NO malicious user would apply the rights protection themselves.

So how does this work?

Once a document is rights protected, it is in fact protected with a layer of encryption, and can be decrypted only if the user could provide the right credential or meets the criteria as dictated by the policy. This would often require the protected document to authenticate with an authorization or rights management server before it can be decrypted; and if the credential that is required to open the document is deactivated, the document will remain rights protected and encrypted. Wouldn’t it be nice to be able to render stolen documents useless?

Even though the technology is available, rights management has not always been easy to use because:

• Protection is often limited to certain file types. If an organization can only protect some files but not others, the value of the solution is greatly diminished
• Protection is often template-based. To cater to the different entitlement requirements, the number of templates often grow exponentially and quickly become unmanageable
• Protection is often dependent on users applying the right template. This is at best onerous, and definitely error prone. And as mentioned, relying on users to apply templates would not have stopped Snowden

However, policy-based rights management solutions are now available, and it would have allowed the NSA to turn off access to the information Snowden stole. Wouldn’t that be nice?