The insider threat is by no means the only—or, for some firms, even the principal—danger to data. However, when it comes to databases, the techniques used by external hackers will result in exactly the same behavior as that of a rogue insider. Likewise, the methods used to detect an attack and limit damage are essentially the same, regardless of where the attack originates.
Where things get tricky is that insider threat protection has the dual responsibility of protecting data while minimizing the impact on legitimate data access. And make no mistake: The value of data to a company increases as more people can use that data. Access makes users’ jobs easier and improves the quality of their work. Data is valuable in use. It’s why companies invest so much time and money in IT systems—to make it easy for trusted employees to access information as they need it.
But, unfortunately, an open-door policy for data access means insiders and outsiders are likely to take whatever they want. And it’s not just credit card numbers and personally identifiable information (PII), but company financials, sales data, and intellectual property that are easily leveraged for gain.
Fortunately, the strategies for minimizing damage from credentialed users are straightforward: isolate user access to narrow sets of data; gate data access based on specific business conditions; and monitor usage.
The first two strategies are all about ensuring that the right users access the right data, and that users have access only to the data necessary to do their jobs. User roles should be segregated to narrow the scope of resources available, and each user should be uniquely identified so you can determine who did what when.
These user controls must be augmented with data controls, further limiting access to data depending on the attributes associated with any given user session. These steps set conditions that limit what any given user can access, reducing damage that can result from an attack. Think of these as the black-and-white boundaries between approved and unapproved access.
The final strategy, database monitoring, addresses the gray area between static access controls. Monitoring provides the capability to forensically identify misuse and proactively detect a data breach when valid permissions are abused. By closely examining user actions, security pros can more effectively determine whether users’ intentions are malicious. Monitoring is how we sniff out suspicious—yet technically approved—access.
To get a detailed explanation of how to implement these strategies in your organization -- and to get an in-depth description of the technologies that support them -- download the full report on protecting databases from malicious insiders.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.