For decades, mainframers have felt justifiable confidence and pride in their favorite platform’s stellar integrity—that is, its resistance to any sort of unauthorized manipulation. And over that time, IBM has reinforced those feelings with various declarations, backed by aggressive follow-through when exposures have been identified.
Even as other platforms have improved in all characteristics, the System z environment often remains an installation’s Fort Knox, relied upon to protect the most valuable and sensitive data. But less pleasant to contemplate is the fact that nothing distinguishes the nature of mainframe staffers from that of the population at large. So even though System z careers are professionally rewarding and reasonably lucrative, there's always a risk that someone—maliciously or otherwise—will threaten an installation's interests.
Additionally, given the realities of reduced job security and increased turnover decreasing employee loyalty and leading to more use of transient temporary staff, contractors and consultants—it’s essential to understand insider threat vulnerabilities and how to address them.
Research from sources such as Ponemon Institute and anecdotal reporting repeatedly show that a major and increasing source of data breaches is insider threats: negligent technologists or other employees betraying their positions and trust.
While disproportionate worries might hinder productivity and morale, reasonable personnel and technical measures can educate and motivate willing cooperation. Nobody wants to be featured in the news as having lost patient health records, personal financial details or plans for the next-generation tech gadget. So benefits of access to and use of resources, such as data, databases, laptops and employee-owned devices (BYOD), must be balanced against the risks imposed.
As is often the case, two perspectives are needed: executive/policy and operational/technical.
Executive and Policy Strategies
Perhaps the most important—and most painful to recognize—insight is that insider threats are NOT addressed by traditional intrusion-detection technologies. They're authorized people doing unauthorized things, accidentally or for illicit purposes. Necessary strategies involve deterring, detecting and disrupting such actions by managing/guiding staff, preventing external collaboration and protecting valuable data.
If there's a small bright side to insider threats, Kroll Advisory Solutions notes that most internal breaches result from negligence—improper data disposal or unencrypted devices lost—rather than criminal or malicious intent. So these can be addressed by employee-friendly measures.
Insider threats must be addressed as a strategic issue by senior management and legal advisors, crafting mostly uniform—but, where necessary, custom—policies across the organization, specifying clearly defined responses to violations, from monitoring through warnings/termination/prosecution. Technical staff mustn’t improvise actions when incidents occur or are suspected.
While this escalation sounds drastic, it’s necessary to protect an organization’s data, property, finances, reputation, personnel and even survival. Respecting staff civil liberties, honoring relevant laws and privacy rights, and establishing evidence-based procedures will minimize risks of litigation.
Policies should include routine background screening of employees, contractors and consultants, combined with similar due diligence for service providers such as cloud vendors.
Identify organization-specific threats—potentially including sabotage, theft of intellectual property, unauthorized disclosure and internal misuse.
Review—and, as needed, modify—employment agreements to include routine monitoring of data access and system usage. Set expectations with training to elicit understanding/agreement for monitoring. Of course, categorize and prioritize data—be proportionate! Don’t overprotect what doesn’t matter but understand risks of critical resources being misused or disclosed.
Establish a formal dedicated security function to coordinate policies, technologies, monitoring/response, and especially to avoid turf wars among the CIO, security, system and network administrators, and data owners. Simply being reactive—waiting for incidents needing response—is inadequate. Technology is key for implementation but isn’t sufficient. Full protection isn’t necessarily easy or cheap but is required to avoid breaches.
For government sites, Executive Order 13587, “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information,” created the National Insider Threat Task Force. This chartered government-wide policies, mandates minimum standards guidance, and provides assistance and threat assessment. Some organizations may require reporting of foreign contacts.
Don’t assume staff knowledge of security and privacy issues/practices. Conduct strong security awareness training reflecting role-based data access, explaining legal obligations to protect information, and emphasize top-down management commitment/support. The concept of operations security (OPSEC
) can be astonishing, describing how assembling seemingly inconsequential and unrelated facts can compromise security. Monitoring/auditing user actions can reveal habits and isolated incidents that threaten data loss. Ensure all third-parties with data access are included in policies and implementation.
Deterrence includes interacting with users, making them aware that system actions and data access is being monitored. But don’t be too draconian; allow minor variations. Disruption involves policy violation incident response, and is different from intrusion (malware, worm, virus, Trojan, etc.) response. Intrusions typically threaten computers and networks as opposed to violations of policies and practices governing people and data.
Exfiltration and data egress anomalies simply indicate that data inappropriately left an organization. Traditionally, most security tools monitor inbound threats but data loss—especially disclosure of personally identifiable information (PII)—and fraud often originates internally, even if recruited by outsiders.
Operational and Technology Tactics
The first step in addressing insider threats is identifying vulnerabilities; risks and actions are often opportunistic, unplanned. They’re also triggered by an ambitious leader inside or outside recruiting unwitting or corrupt partners.
Define system-monitoring data collection to balance inclusiveness and selectivity. Don't monitor what doesn't matter and won't be acted on. Reflect realistic storage/analytical capabilities, remembering that the effort is protecting valuable data rather than auditing as an end in itself. Put data/behavior in organizational context reflecting factors such as whether it's important and actionable.
Data mining can detect patterns worth investigating but correlating personnel data with actions may involve restrictions. In fact, most alerts will be non-malicious, so processing should winnow what's actionable from random/benign circumstances.
A universal challenge is some people unavoidably having "keys to the kingdom"—that is, access to broad and trusted data and tools—as I did many years ago as a mainframe site’s system programmer, responsible for security with no checks or even full reporting on my actions. In essence, then, the question was, "Who watches the watcher?" Now, prudent or mandated separation of roles doesn’t grant such unrestricted freedom. Similarly, developers use test rather than production data, and access to customer and PII data is constrained and logged.
IT departments can implement role-based data access, stringent authentication, employee-access monitoring and strong end-to-end, data-centric encryption. “Rather than merely trying to protect your company’s data from outside attacks via firewall, the data itself needs to be protected,” says Andrew Schrage, co-owner of Money Crashers Personal Finance. “A number of companies offer data-encryption software.” This must extend to all storage devices, including laptops, employees’ smartphones and tablets, and USB drives. And prohibiting and preventing massive data decryption—except under the most guarded circumstances—prevents exposing entire databases.
Staff turnover can be a risk window as well, so precautions, such as restricted access and reviewing system logs, can be warranted covering the period before and after resignation or termination. Auditing email, USB usage, laptop data and external media can reveal potentially dangerous actions. Though this may seem a gloomy and intrusive attitude, there’s no shortage of disgruntled people taking out anger on employers.
Data loss prevention software spans a broad range of products, detecting and ultimately preventing unauthorized attempts (whether intentional or unintentional) to transmit or reproduce sensitive company information.
While retention policies describe data lifecycles, they’re meaningless without automation. It’s too easy for critical data to be forgotten in repositories, backups, off-site storage, or workstations/laptops. If not properly encrypted, these are especially vulnerable targets for data breaches.
Cloud computing adds a level of complexity and risk, since vendor servers—out of sight and not controlled by company IT—are an attractive target. Again, data-centric encryption—encrypting everything sent to the cloud—reduces this vulnerability.
While it’s difficult to identify and resolve insider threats/breaches, a strong start is provided by automated detection—continuous monitoring for policy violations—via detailed logging, automated/prioritized responses, a repeatable response process and robust chain of custody handling audit data. Especially important is identifying anomalies: disconnects between job/responsibilities/tasks and actions, and potential attempts to cover one’s tracks.
Threat mitigation policies and practices should be periodically audited by external providers reporting to senior management. Rather than a mere formality, this can reveal creeping mismatches between employee level and actions taken.
There’s a delicate balance of prudent monitoring vs. intrusive bullying. It’s certainly legitimate monitoring publicly visible websites for mentions of your company’s name or even using reputation-monitoring services for that. It’s edgier scanning employee social networking information, though defensible if advance notice is given. But it’s probably over the line to require account login information for such sites.
Finally, of course, aggressively use industry-standard tools that provide extensive policy-based controls and auditing capabilities.
Gabe Goldberg has developed, worked with, and written about technology for decades. He can be contacted at firstname.lastname@example.org.