Keep tabs on insiders with rule-based access

In his recent blog, Guy Bunker raises the question of the malicious insider, who misuses authorised access to data and applications. How do we detect and prevent such activity? A promising approach to tacking this issue comes in the form of...

Share

In his recent blog, Guy Bunker raises the question of the malicious insider, who misuses authorised access to data and applications. How do we detect and prevent such activity?
 
A promising approach to tacking this issue comes in the form of access control. Traditional role-based access control (RBAC) is commonly implemented by organisations, but can make it difficult to provide the required controls. For example, a worker in a tax office may potentially be asked to review the tax details of any citizen, so with a pure role-based access control system, would need to have access to all records.

RBAC implements a simple yes/no decision, with no concept of context or history of access. Such systems typically detect misuse by retrospectively auditing accesses, looking for unusual behaviour, which might include accessing ‘honeypot’ records of celebrities, or looking at a much greater-than-usual number of records in a day.
 
"Prevention is better than cure" says the proverb, and this is where rule-based access control can help. Rather than a static access matrix, rule-based access allows much more flexible controls. In this example, access could be granted with the rule 'only allow access to the records of people who have sent an email or phoned in', thus restricting access based on a tighter need-to-know basis.

Rule-based access can also help incorporate more complex controls. ‘Allow access to bank information if it's from a computer located near the account-holder's mobile phone’ could be a good rule to prevent some frauds. The Jericho Forum is planning to examine how rule-based access can be used to facilitate collaborative security by not ‘assuming context at your peril’ (JF commandment number three).
 
But would such systems help stop misuse of insider information by senior executives? Not so easily. The relevant information might not even be on a computer system of any kind and be known only to a few individuals. We've not yet implemented a Minority Report pre-crime detection system yet.

Currently we look for unusual share-price movements that correlate with potential insider misuse, another use of retrospective audit. Conceptually, though, if systems are permitted to be more closely connected (and if privacy concerns allow this to happen), a rule-based access system may ask some probing questions before allowing someone to deal in shares of a company if they are a Facebook friend-of-a-friend of a director.
 
Fanciful? Simple rule-based systems already exist, for example when sending emails the rules can check if you are aware you are sending to both employees and external people, thus helping prevent the ‘onosecond’ - the time between pressing ‘send’ and realising you shouldn't have.

So it's no big step to allow greater collaboration by sharing and validating claims, especially if this can be done with minimal information disclosure for privacy protection.
 
Andrew Yeomans, Jericho Forum board member

Find your next job with computerworld UK jobs