Whistleblowing site WikiLeaks has caused controversy in the US as highly confidential government data has found its way on to the site and into the public arena.
While much of the immediate media attention on this issue points to the need for stronger data loss prevention solutions to prevent critical data from leaking outside the organisations, there is a larger, access-related problem that government agencies need to address to minimise the risk of having confidential information exposed to the public.
This is becoming increasingly important as opportunities grow for spreading information on sites like WikiLeaks, which protect the identity of those who supply the information.
As Aveksa's recent research has shown, the US federal government is lagging behind commercial enterprises in its ability to manage the access of its users to critical information resources.
Government agencies need to implement processes to ensure that access to high-risk information is managed and governed effectively. Access must be limited to only authorised parties and be audited to determine who has accessed sensitive documents. Without taking this step, the risk of information exposure increases exponentially.
It is evident that much work still needs to be done to address access-related issues for government agencies.
According to a global, multi-industry survey conducted by the Ponemon Institute and commissioned by Aveksa, 79% of government IT practitioners admitted to having too much access to information resources that aren't pertinent to their role in the organisation. This may be because government organisations cannot keep pace with access change. Changes in employee access requirements are often and continuous and 75% of those surveyed said that they could not respond quickly enough to this change.
What's going wrong?
So how is data leaked in governmental departments?
Often access policies are not regularly checked and enforced. The Ponemon study showed that 60% of organisations do not have or do not strictly enforce access governance policies.
Furthermore, 60% also do not immediately check user requests against security policies before access is approved and assigned.
This dramatically increases the risk that a user could simply request permission to access data outside their role in the organisation and leak this information to sites like WikiLeaks.
Why isn't anything being done? Organisations often lack the budget, resources and staff to effectively govern user access. More than two-thirds of those asked by Ponemon said a lack of IT staff was a key problem in enforcing access compliance policies and 59% of organisations reported that they did not have enough technologies in place to manage and govern these access compliance policies.
Governments need to find ways in which to do more with less and use an approach that is simple and can be easily achieved with fewer resources. To accomplish this, they must work with their IT and finance decision-makers to gain a greater understanding of their organisation's specific weaknesses and address these challenges to limit data leakage and avoid another WikiLeaks situation.
Brian Cleary is vice-president of products and marketing, Aveksa
This was first published in September 2010