US Army PFC Bradley (now Chelsea) Manning was convicted of espionage for releasing classified information. (SAUL LOEB / AFP)
Federal agencies don’t have the best track record when it comes to controlling the level of access employees have to sensitive databases and systems.
Edward Snowden and Chelsea Manning — formerly Bradley Manning — proved that. But it doesn’t take a gifted system administrator or intelligence analyst to create problems or full-blown havoc at an agency.
Think about it: All employees have varying degrees of access, not only to internal technology systems but also to agency facilities. Those privileges should be cut off immmediately after an employee has severed ties with an agency, but that doesn’t always happen. Further, when employees change positions, such as through a promotion or transfer, their authorized access levels also change, leaving human resources, information technology staff and direct managers with the task of coordinating to ensure that access is either cut off or modified.
“There isn’t a standard way, and there ought to be,” said Paul Christman, vice president of the public sector for Dell Software. Christman said there are variations in agency processes for on-boarding and off boarding employees.
A 2013 survey by Dell Software and Market Connections found that 54 percent of agencies take longer than a day to de-provision users, or shut off their access to agency facilities, files, folders, applications, databases and other physical and logical access points. The survey included responses from 200 federal IT decision-makers.
Considering that thousands of employees enter and exit the government each month, any de-provisioning longer than a few hours represents a gaping security hole, the report notes.
A terminated employee can use an active badge to access the facility after hours to remove confidential information, or leak documents through malicious or inadvertent exposure.
“Most organizations, not just government, are terrible at that,” Paul Donfried, chief technology officer at LaserLock Technologies,” said of rapidly de-provisioning users. Generally, it’s because HR and IT are separate functions. And enabling capabilities for new or existing employees becomes the priority.
De-provisioning users is an area where agencies can mitigate the security threat through automated systems and dramatically speed the process, Dell Software notes in its report. “Manual de-provisioning is time-consuming — staff must track down not only the user’s identities, but all instances of systems or applications in which that identity is given access.”
Another option: moving identity and access management services to the cloud as a way of consolidating and automating services. Some agencies are still skittish about turning the reins over to a cloud provider because of security concerns, but others are exploring the benefits. The report notes that automated services enable organizations to consistently enforce policies and regulations, while improving security.