6 Ways to Stop Internal Information Leaks

Preventing Information Disclosure

Photo by AMagill

“Locks keep out only the honest” – Jewish Proverb

As a follow-up to my post on external information disclosure, I’ve put together my top 6 ideas for what you can do to reduce the risk of internal data theft and/or disclosure.  This is a tricky topic because how you approach your team about information security may affect their pereception of how you trust them.  It will also make their jobs more difficult and less efficient, which is always the tradeoff when securing a system.

The key is striving for a balanced, optimized approach, and iterating until you find a model that works for you.  There is no silver bullet or perfect set of locks, so you have to be vigilant and flexible in your approach.

Here are my top 6:

1. Minimum Accesss / Need to Know

Make sure that you have a granular system for granting access to customer data, private data, or trade secrets.  I’m not saying you should become the NSA or CIA, but you should think about how data could be misused and categorize it appropriately.  You could also divide responsibilities so people don’t have accesss to complete information when appropriate.

One key piece of advice I can give is to have a robust & secure tool for scrubbing your production data into your test environments.  This is really important for ensuring quality without compromising customer data, and is relatively easy to implement.   Your devs will love you.

Another thing to consider is revoking priveleges from time to time, or only granting access for a defined period.  Sometimes you get granted access for a specific project and when it ends you still have root to a server.

2. Understand The Rules

Make sure your team understands your policies for handling customer data.  Make sure the consequences are clear – both to the employee, and to the company.  Understand the specific laws for the countries you operate in, and any industry standards or certifications you should have.  In some cases you might be able to partner or outsource certain processes to more cost effectively remain in compliance.

3. Optimize Your Password Policy

It’s important to find the right balance so this doesn’t blow up in your face.  If you make your password policy too loose, you will have easy to crack passwords.  On the other hand, if the policy is too strict (too many special characters, too long, have to change too frequently), people will get frustrated and will write their passwords down.

A good rule of thumb is that people can easily remember 7 characters and they won’t want to change more than 4-6 times per year.  If you include 1 special character and ask people not to use dictionary words, you will be most of the way there.

4. Don’t Store it All in One Place

This is the “don’t put all your eggs in one basket” rule.  Think about how you can segment data to manage the risk of a large scale disclosure.  For example, if you store credit card numbers, perhaps they go in a different database (with different permissions) than the CVV codes & expiration dates.    Disclosing it is still bad, but not as bad as disclosing all of it together.

Another thing you can do is segment your customer data into multiple databases so if one is compromised you won’t lose it all.  This is also good for scalability.

5. Watch for Disclosure

Make sure you monitor your systems not just for external threats  but also for internal folks accessing things they shouldn’t.  Consider creating internal honeypots to see if there’s anyone you need to watch more closely.  I’m not advocating for Big Brother type of monitoring and if you seperate your data, follow the need-to-know rules, etc., the less internal monitoring you’ll need.

6. The Buddy System

This is a simple yet effective way to maintain the integrity of your systems.  When you’re accessing sensitive data, you have another person (not your supervisor, not your employee) buddy up with you and watch what you’re doing.  This is a common cash-handling procedure, and it works for customer data handling as well.

A Word of Caution

In conclusion, there are a few simple things you can do to make your information more secure.  You’re probably doing some of them, but it’s a good idea to check in on them from time to time.  Getting a third party to take a look can also be a smart move.

I will say that it’s important to communicate any policies or audits in the context of making the team better and helping customers, not trying to incrimate employees, show a lack of trust, or get in their way of doing their job.  If you can show that you trust your team, it’ll boost morale and hopefully avoid creating an incentive for a disgruntled employee to hurt the company.

How do you enforce internal security while maintaining trust with your team?

About Kit Merker

Product Manager @ Google - working on Kubernetes / Google Container Engine.
This entry was posted in Business Continuity, Cloud, Disaster Recovery, Downtime, Technology, Uptime and tagged , , , . Bookmark the permalink.

2 Responses to 6 Ways to Stop Internal Information Leaks

  1. Pingback: 8 Ways to Prevent Information Disclosure | Software Disasters

  2. Pingback: My Personal Woes of Data Loss | Software Disasters

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s