Thursday, December 30, 2010

Clear and Present Danger

While contemplating about writing a blog on WikiLeaks situation, I was thinking about an appropriate title for this blog that would convey the essence of this blog. I was leaning towards a catchy phrase. And one of my favorite movies came to my mind - Clear and Present Danger starring Harrison Ford. This movie title does convey the essence of this blog. There is a clear and present danger.

Confidential US diplomatic cables released by WikiLeaks are just the latest episodes of security breaches. Before publishing hundreds of thousands of diplomatic cables, WikiLeaks dumped Iraq and Afghanistan war documents. WikiLeaks is now rumored to be targeting a major bank in the USA. There may be other leaks that we are not even aware of. There is a clear and present danger.

At the least, WikiLeaks dumps have embarrassed the United States Government. Hillary Clinton briefed the foreign government officials on the leaks and apologized. At the least, WikiLeaks dumps could have damaged our relations with our allies. At worst, WikiLeaks dumps could have jeopardized the lives of our troops in Iraq and Afghanistan. At worst, WikiLeaks could have caused irreparable damage to our relationships with our allies. Experts and government official all over the world are debating the impact of the leaks. Whatever the impact may be, there is a clear and present danger.

The United States Attorney General Eric Holder has opened up a full investigation into the WikiLeaks dump. I don’t have all the facts in front of me, but it appears that this was an insider job. WikiLeaks didn’t hack into the government data repositories and stole the documents. It is reported that an insider was responsible for providing all the confidential documents to WikiLeaks. An insider had access to the cables and war documents. An insider managed to download the documents and then forwarded the cache to WikiLeaks.

I am an Oracle Database Administrator, responsible for maintaining confidentiality, availability and integrity of the database. You may be as well. As a DBA, I take all the precautions to safeguard the confidentiality, availability and integrity of the database. As a DBA, I have developed many security check lists to tighten up the security on the databases and servers. Oracle Security Patches, Access Controls, Database Roles, Privilege Restrictions, Authorizations, Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Virus and malicious code protection, SQL Injection Prevention techniques, Best Coding practices are just the few examples of technical security controls that are implemented by the DBAs to secure the database. I am absolutely certain that the confidential documents leaked by WikiLeaks were protected by the technical controls mentioned here and quite a few more were in place. It appears that these technical controls didn’t prevent the leaks. It appears that these technical security controls were not adequate.

Please don’t get me wrong here, the above mentioned technical security controls are absolutely essential. These controls lay the foundation for the adequate security. The level of controls that you implement may vary, but we need to implement them. You need to evaluate threats and vulnerabilities to assess the risk that you are carrying or willing to take. Your security posture should be aligned with the risks that you can afford to take. Please bear in mind that there is a clear and present danger.

In order to fight the clear and present danger, Oracle DBAs need to look beyond the technical controls. Technical controls, or lack thereof, do fail us from time-to-time, but it appears that the technical controls didn’t fail us in WikiLeaks instance.

It is widely reported that the procedure to classify documents is out of control. New York Times reports that number of documents classified as Confidential has skyrocketed during the last decade. And so does the number of government officials who have the authority to classify documents. And so does the number of people who have or need access to such documents. Per media reports, there are approximately 750,000 people with access to confidential documents. That's very large number of people with access to confidential documents. It's counter intutive. One shouldn't share the confidential information with too many folks! An example of how management and operational controls play a part in data security.

Management controls are those that deal with policies, procedures, scope, frequency, oversight, checks and balances, risk assessment, etc. Operational security controls are those that are enforced by the people.There are quite a few security standards that preach the importance of management and operational controls. NIST SP 800-53 classifies security controls in three categories – management, operational and technical. HIPAA categorizes security controls as administrative and technical. So does other prevailing security standards.

As Oracle DBAs, we do get carried away by technical controls. We need to make sure that proper management and operational controls complement the technical controls that we implement. There is a clear and present danger our there!