Keeping Confidential Company Information Secure: Lessons Learned From The NSA


Disasters come in all forms – including information security breaches from employees you thought you could trust.

Just ask the National Security Administration.

Even the top security agencies have a few things to learn about how to keep their own internal files safe and secure in a digital environment.  Whether you agree or disagree with Snowden’s actions, it is undeniably true that the leak of highly sensitive security documents was a disaster of global proportions for the NSA.

Your business probably doesn’t maintain confidential documents that could effect national security. However, nearly every business has records in their possession that contain private information. More importantly, in the wrong hands, this data could cause harm to your employees, your customers, and your business.  You may have documents that contain:

  • An employee’s private health information or social security number.
  • A customer’s financial information, like credit card numbers.
  • The secret recipe to your company’s signature product.

In today’s world, information is extremely valuable. All businesses maintain files and documents that contain sensitive information that someone–yes, even someone you trust–may want to use to meet their own personal agenda. As we have learned, information leaks are a real disaster that can seriously damage, if not destroy, your business.

There are lessons here that every business can learn from.

Lesson Number 1: Every business has a need to share information freely among the people who need it, when and where they need it.

We know this, you probably know it; heck, even the NSA knows it:

“You can’t make good policy if you can’t keep more than one idea in your head at the same time. One of those important ideas is that we have to do a really good job of sharing information and disseminating it to people who really need to know it and do it fast.”

-Joel Brenner, former NSA inspector general as quoted in:
Officials: Edward Snowden’s Leaks Were Masked By Job Duties

As businesses, we’ve become accustomed to the easy sharing of files, on multiple platforms, including cloud-based file sharing applications. As a result of this, we often think nothing of placing files that hold confidential or sensitive information in these shared locations.

We are 100% in favor of improving accessibility to information, in fact, it’s an integral part of the business solutions we provide for our clients. However, sharing files simply to make doing business easier, without thinking through the consequences, is a mistake.

The lesson?  Before you share those files, ask yourself: Do I really know who has access to the employee file I just put in the shared folder? Can I track who has read the customer order form that includes their credit card information? Can I tell who’s made a copy of the confidential memo with the details of my next major contract?

Which leads us to lesson #2….

Lesson Number 2: The risk of losing confidential information may come from within your organization.

It has been widely reported that the leaked NSA documents were stored on a secure network file-share.  The files were placed there to allow security analysts, with the proper clearances, to freely share information. This also provided a forum where the analysts could discuss what they learned and share insights that might be useful to the organization.

This is a great practice in information sharing that we wholeheartedly support. Mission-critical information was made accessible to all analysts from any location, provided they had access to the intranet share. It also facilitated workflow between the analysts when documents needed to be disseminated and read by many individuals, which made the sharing of information faster and more efficient for the organization.

Here’s the rub: The NSA missed a few critical electronic document security principals in the interest of increased information sharing. More importantly, these security issues are not limited to files on a shared drive. It’s a document security and access control issue. It affects the confidentiality of any electronic assets stored anywhere within a computer network.

We need to make an important distinction here: Documents (ie: content, records, etc.)–including reports, presentations, spreadsheets and digital images, and PDF’s–are files that contain actionable information. Files include every single electronic item stored on a computer system.  Electronic files and folders require maintenance, just like paper files. Someone has to do that job, just like the file clerk in the records room.

Maintaining files on a server is big part of an IT Systems Analyst or Systems Administrator’s job responsibilities.  As a System Analyst, Snowden could do whatever he wanted with the files he had access to–which was basically everything in the system–no matter where they were stored. As an NSA official said, “His job was to do what he did. He wasn’t a ghost. He wasn’t that clever. He did his job. He was observed [moving documents], but it was his job.”

There is a fundamental issue that the NSA seems to have forgotten when setting up their electronic document storage system.   The NSA knew exactly how to manage document access when they functioned in a paper-based system.  Individuals that worked in the file and records storage areas needed the highest levels of security clearance, precisely because they had access to all of the files. Their jobs required it.  The NSA simply failed to apply the same logic to file access in their electronic filing system, and it cost them dearly.

As a systems analyst, Snowden’s job included maintaining files across the computer network, much like the file clerk working in the records room. However, unlike the file clerk, he did not have the appropriate security clearance to see the top-secret information that was contained in many of the files he had access to. Yet, his “super-user” network rights superceded his security clearance and allowed him to do anything he wanted with the files. We now know that this included copying and saving sensitive documents to a non-network drive and removing them from the facility.  Documents that he really shouldn’t have been able to even view.

Giving the same level of access to all systems to all administrators is dangerous. In most sensitive enterprise systems, administrators’ access powers are limited to very specific roles to prevent giving them the power to compromise multiple systems, making it more difficult for an insider to attack systems and cover his or her tracks.”, Aug 29 2013: “Sysadmin Security Fail”

Don’t get us wrong – we love system admins and our fellow IT professionals, and are not in any way suggesting that they shouldn’t be trusted to do their jobs. It does, however, bring up critically important concerns that definitely apply to each and every business. All businesses maintain files that contain private information that needs to be kept confidential, often by law (HIPAA, employment laws, etc.), and requires limited access to only those people who need it. Like the NSA, your IT staff may not actually need access to your confidential content.

The lesson here? Apply the same principals to electronic file access that you would use in a paper system.  Know who has access to your records, decide if they really need access as part of their job, and restrict access as appropriate.  And make sure that everyone who has access, especially if you outsource your IT management, has been thoroughly vetted before you allow them access to your information.

Which brings us to lesson number 3….

Lesson Number 3: Use document management controls and systems that track and limit information access to authorized individuals.

We all want access to our files when and where we need them.  But we must protect the confidentiality and security of the private and sensitive information that we maintain, no matter where its stored.

Simply storing files in a secure, “protected” workspace is clearly not enough. Just because a file share (whether its located on an internal network or is cloud-based share) is restricted to only those individuals with the right login credentials does not mean the information is protected. We know it takes more to ensure the security of confidential information.

“The NSA will now be “tagging” sensitive documents and data with identifiers that will limit access to those individuals who have a need to see the documents and who are authorized by NSA leadership to view them. The tagging will also allow supervisors to see what individuals do with the data they see and handle.”

~Officials: Edward Snowden’s Leaks Were Masked By Job Duties

Implementing detailed user rights management, combined with access tracking and audit trails (which is what the NSA is now doing) is absolutely the right thing to do. The saddest part?  Its like shutting the barn door after the cows are out.

The technology to manage secure access to documents is hardly new, nor is the knowledge of why and how organizations need to follow these procedures. Its not even that hard or expensive to implement if you use the right tools.  The NSA even knew exactly how to do it – in a paper-based world. They simply needed to use quality electronic document management systems and , well-designed access policies – before they suffered what was truly a catastrophic data disaster.

What makes us qualified to make this claim? Its our business to know it – we’ve been implementing these procedures for our customers for years as part of each and every one of the document management projects we have completed.

Many document management systems include very detailed security and access rights tools that protect your information from internal and external threats. They also allow for safe access and sharing of files and documents when you need it, where you need it, from anywhere.

Implementing user access policies that protect documents down to the individual file level, and the proper organization of documents by content type, user access needs, and records retention rules and policies – that’s standard practice for a document management implementation. Placing security and access control in the hands of an end user (ie, the head of your HR department) with the appropriate clearance to see the content without requiring deep involvement from your IT staff is often built in. And detailed audit tracking of every single activity that has ever taken place with each and every file? Just a part of the package.

And it doesn’t have to take hundreds of man-hours, distract your key staff from mission-critical activities or cost thousands of dollars to implement.

Document management systems are affordable (even for small businesses). They are generally easy to implement and do not require a lot of IT support, major consulting engagements or expensive hardware. They’re proven to be effective and generally provide a rapid return on investment. Their usage increases productivity and measurably improve a business’ bottom line. And we’ve been providing these solutions for businesses and government for over a decade.

We only wish the NSA had known then what we’ve known for years.

Just ask us how.


Bookmark the permalink.

Comments are closed.