When IT is the threat

Here's a nasty little truth about the data-leakage problem: The people charged with keeping information systems up and running often pose the biggest threat to information protection. They've got broad access and powerful tools, and they know how to circumvent typical content-protection mechanisms.

This reality has some IT executives exploring ways to tighten up operational processes. Tom Ferris, a senior IT officer for an international financial organization in Washington, D.C., is ditching a traditional server-administration model for one that strictly limits access by role. For example, application developers no longer get full administrative access to and control of all servers. Now they have access to test and development servers but not the production environment, Ferris says. Additionally, for maintenance purposes he uses BladeLogic's data-center automation software to set role-based access controls and limit the types of tasks allowed.

Is IT your biggest threat? Place a vote and share your opinions.

Kern Weissman, director of network systems at Velocity Express, a same-day package-delivery company in Westport, Conn., also is narrowing administrative access to servers. "Instead of saying, 'You have access to this system for this amount of time,' we'll say, 'You have access to this system and this application for this amount of time,'" he says.

The company will gain this control through Xceedium's GateKeeper, which lets remote administrators manage centralized servers securely. GateKeeper consolidates access with a Web portal, through which all administrators must pass to gain systems access. Everything is encrypted, including the tools available through applets on the portal, and a company need only open one firewall port, says Cheryl Traverse, Xceedium CEO. Even rebooting failed machines is handled through the portal, because GateKeeper consolidates network access, out-of-band signaling and power on a single connection.

Martin O'Reilly, IT director at the Rutgers School of Business in Camden, N.J., considers GateKeeper a security tool. "We use it as the sole access point to our mission-critical systems," he says. An administrator has an access account on the Web portal, and the mission-critical system will allow access only from the GateKeeper connection, he adds. "When I think about the insider threat, I think about the misuse of applications or systems that render them insecure," O'Reilly says. "And this certainly provides another [protection] layer - and, of course, that's the ultimate goal."

< Return to main story: Protection from the inside out >