An insider threat challenge could be posed if encryption keys are held by someone who leaves the company.
Speaking to SC Magazine, Steve Brunswick, strategy manager at Thales, said that while firewalls, patch management and intrusion prevention systems are needed, it does not stop the insider threat altogether.
He said: “A good identity lifecycle and strong encryption can add protection where it is needed. The insider threat is still a threat but not a risk, as you are not under attack all the time. You don't need to encrypt every email but any email can be read by any administrator, so if something is very sensitive you will encrypt or not, the problem you have to get to grips with is to risk assess your business and protect everything.”
He also said that the same issue can exist with sensitive information and applications, especially if access it granted to an administrator.
Jon Geater, director of technical strategy at Thales, said: “There is a realisation of the need to protect and while people realise the security implications to save time and money it does not always crop up in people's plans.
“People are penetrated by other relations in the physical world, would you take stuff that is aggregated with you or do you put it in a fire-proof safe or a safety deposit box? You understand the value of an asset, so what people need to do is understand that value, work out what access someone has and treat them differently.
“You can have an area that is protected and uses solutions and if someone uses a sign-in key you keep them away from any social emails. This is all good security practise and it will show benefits, as it gives a relatively easy way of keeping a business process as it is with added protection.”
Brunswick pointed to the recent change in the PCI DSS guidelines; requirement 3.6.5 now says 'retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key), or keys are suspected of being compromised'.
He said that with proper key management this would never happen, as requirement 3.6.6 says that 'if manual clear-text cryptographic key management operations are used, these operations must be managed using split knowledge and dual control'. He said: “The principle of key management is split controls with half of the key given to someone else, but they are never stored together. So how can this happen?”
Geater pointed out that the chief financial officer could say that a system administrator has to be released, but if that administrator has the encryption keys to the database there would be a major problem.
Speaking later at a roundtable hosted by ArcSight, Steve Cummings, former director of the UK Centre for the Protection of the National Infrastructure and now a special adviser to Deloitte's enterprise risk services division, asked if the insider threat is real, or a made up threat? He said: “That is not the case; there is a lot of evidence which suggests that organisations should be concerned about people that they employ and their trustworthiness and behaviour.
"The threat is real and there are reported incidents coming from inside. In terms of vulnerability, it looks like organisations believe themselves to be vulnerable to insider attacks, and rightly or wrongly that does affect their feeling about the external threat."