Six Myths of Information Security (cont'd)
Myth #6 -- Access Control will protect you
Clearly, enforcement of need-to-know on key assets is a necessary component of managing the risks of confidentiality breaches. Without access control, you have no hope of protecting the data. The myth here is that this kind of protection is sufficient. Given the huge amount of money, time, and attention paid to this aspect of security, you would hope that locking down your information this way would be enough!
What we see
The rates of data loss we see at customer sites indicate that access control privileges, even in the best run shops, are at least a step or two behind the needed state of provisioning to adequately protect data. Part of that is driven by the complexity of keeping up to speed with the changing roles of employees, but there are additional factors that have an even bigger role in proliferation of the spread of confidential data.
Beyond out-of-date ACLs, the second factor driving proliferation of confidential data is simple abuse of legitimately granted access. Both well-meaning insiders and malicious insiders have full permission and are responsible for a large fraction of the data breach events globally.
The final relevant factor is that primary storage systems for confidential data are very often NOT the only storage system for that data. It’s incredibly common in DLP deployments to find secondary and tertiary storage locations for all kinds of sensitive information (customer databases, credit card data, marketing plans, etc...) These unauthorized secondary storage devices are usually involved in legitimate business activity, but are under the radar of the IT team and (here's the real point here) run with minimal access control.
Typical example we find all the time: the HR team will query the employee database, extract all the salient details (names, salaries, SSNs) and then plop the spreadsheet down on a shared file system somewhere so the rest of the team can look at the data. Sadly, these HR teams rarely try to restrict the access control in any way that protects the data. The end result: the entire employee database is sitting out on a public share with open read/write access.
Summarizing, access control permissions are a form or protection that is, at best, unevenly applied and frequently evaded by employees by simply copying the data to secondary storage systems. There's really only one feasible fix to this mess: enforce protection as good as you can with ACLs and back-stop this protection with DLP to constantly hunt for exposure events. Access control alone just won't cut it.