One of the continually fascinating parts of my job is talking to customers and understanding how they decide to pursue some goals over others. Last week I had the chance to sit with a modest size department of a fairly large city. They have just brought on a new CIO and his top priority item is Data Access Governance (DAG). How did that become his top priority? The story his team told me was funny and scary at the same time. They are in the middle of a big project to clean up their citizen records. There are duplicates, attributes in the wrong fields, missing attributes, and all the typical things that go wrong with large amounts of data that go through a multitude of technology systems over time. Of course, all this data is in a system that requires logins and passwords, and only certain people on the team have rights to see all the data. That has created significant logistical challenges as they try to formulate tactics to fix the data.
This is where copy and paste enters the story. One of the project leads had the bright (and very common) idea to copy and paste all the data into an excel spreadsheet. Since they wanted all the data, they did this logged on as one of the people who have full access to all the records. Since they wanted to be sure the team was all working from the same set of data, they put this big spreadsheet onto a file share. I bet you can guess the next part – since they weren’t sure what file share they would all have access to, they put it on the organization wide, open share. As you could imagine, the file contains all kinds of PII (names, addresses, services being provided, family members, etc.). Now, the next step in a story like this is typically tragic. Someone downloads the file to their laptop to work with on the train, loses the laptop, and a huge breach results. But I said this was funny. What happened next here was that an IT security person from the organization needed to make a benefits claim. That meant going to the organization wide, open file share to grab the form. As is typical, they couldn’t recall exactly where the form was and they were poking around and came across this file. And they completely freaked out. There was a huge tidal wave of discussions, lots of meetings with people explaining why it wasn’t their fault, and all of this as they are seeking this new CIO.
The end result is that during the interview process, the CIO picked up on the zeitgeist around this access to unstructured data and ran with it. Hence, the first priority he has is to roll out DAG. All because of copy and paste.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.