SYS-CON MEDIA Authors: Pat Romanski, Liz McMillan, Yeshim Deniz, Elizabeth White, Courtney Abud

Blog Feed Post

Security threats: The real Authorization level of the CEO's Secretary

Few years ago I watched a bank's branch working process.
Senior Bankers received a digital card which should be passed prior to executing operations requiring higher level of Authorization. 

Other bankers has lower Authorization level. They did not receive these cards. They are prohibited from executing high level authorized operations.

The Computerized Branch systems were built according to the defined Authorization levels. However, Senior Bankers were busy. When another banker asked a senior banker to perform an operation very often he gave him his digital card instead of executing the operation and asked him to execute the operation behalf of the Senior and Busy Banker.

The real Authorization system was different from the formal analyzed, designed and developed systems.

The real system authorized every banker to execute most operations.

The formal system limited Authorization of non-Senior Bankers.

This kind of dissonance between implemented systems and real life systems is very common in other verticals as well as well as in other banks.

The most confident Business data and Reports
It includes data about Strategy, New R and D and new Products, Plans and reports and data summarizing overall Business Performance.

If such data will leak competitors could gain and the company's Business Results could be worse than the Results achieved if the data would not leak.

Naturally, only Top Management team members are authorized to access this data.
However, Top Managers are even busier than Senior Bankers.
They will do exactly what the Senior Bankers depicted in the previous section did:
They will give authorization to their Secretaries.

The real Authorization system is again different from the planned Authorization system.
Are the over authorized secretaries a bigger Security threat than the Top Management?


The Top Managers
A Top Manager can benefit a lot from not breaching Security by exposing or selling confidential data.
His salary is high and he may receive high bonus as well. 

If he will sell confidential data to a competitor he may lose everything: No more high salary and high bonus but more than this: no other company will ever employ him as a manager.

The probability that CEO or other top manager will sell the most important confidential data to a competitor is extremely low.

It is reasonable that he is aware of the potential risk of exposing such data unintentionally to people who are not authorized to access it and avoid of that risk. 


The Secretaries
A Secretary selling confidential data can lose less and win more than a Manager.

Her salary is far from being a high salary. She does not expect, and probably will never get, high bonus.

She may operate a little shop or other type of small business instead of working as a secretary. 

The probability that she will breach Security and deliver intentionally confidential data is low, but it is significantly higher than the probability that a Top Manager will do it. 

As far as exposing a printed report unintentionally is concerned, I am not so sure that the probability that a Manager's Secretary will do it is low.

It is all about Security Awareness. The Manager should be more aware and probably the Security team will periodically remind him of the Security requirements due to the high formal authorization granted to him.



 



      

Read the original blog entry...

More Stories By Avi Rosenthal

Ari has over 30 years of experience in IT across a wide variety of technology platforms, including application development, technology selection, application and infrastructure strategies, system design, middleware and transaction management technologies and security.

Positions held include CTO for one of the largest software houses in Israel as well as the CTO position for one of the largest ministries of the Israeli government.

Latest Stories
With the rise of Docker, Kubernetes, and other container technologies, the growth of microservices has skyrocketed among dev teams looking to innovate on a faster release cycle. This has enabled teams to finally realize their DevOps goals to ship and iterate quickly in a continuous delivery model. Why containers are growing in popularity is no surprise — they’re extremely easy to spin up or down, but come with an unforeseen issue. However, without the right foresight, DevOps and IT teams may lo...
Isomorphic Software is the global leader in high-end, web-based business applications. We develop, market, and support the SmartClient & Smart GWT HTML5/Ajax platform, combining the productivity and performance of traditional desktop software with the simplicity and reach of the open web. With staff in 10 timezones, Isomorphic provides a global network of services related to our technology, with offerings ranging from turnkey application development to SLA-backed enterprise support. Leadin...
Platform9, the open-source-as-a-service company making cloud infrastructure easy, today announced the general availability of its Managed Kubernetes service, the industry's first infrastructure-agnostic, SaaS-managed offering. Unlike legacy software distribution models, Managed Kubernetes is deployed and managed entirely as a SaaS solution, across on-premises and public cloud infrastructure. The company also introduced Fission, a new, open source, serverless framework built on Kubernetes. These ...
Emil Sayegh is an early pioneer of cloud computing and is recognized as one of the industry's true veterans. A cloud visionary, he is credited with launching and leading the cloud computing and hosting businesses for HP, Rackspace, and Codero. Emil built the Rackspace cloud business while serving as the company's GM of the Cloud Computing Division. Earlier at Rackspace he served as VP of the Product Group and launched the company's private cloud and hosted exchange services. He later moved o...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments. In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, will discuss how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galer...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that pro...
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
Technology has changed tremendously in the last 20 years. From onion architectures to APIs to microservices to cloud and containers, the technology artifacts shipped by teams has changed. And that's not all - roles have changed too. Functional silos have been replaced by cross-functional teams, the skill sets people need to have has been redefined and the tools and approaches for how software is developed and delivered has transformed. When we move from highly defined rigid roles and systems to ...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It's clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Th...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
xMatters helps enterprises prevent, manage and resolve IT incidents. xMatters industry-leading Service Availability platform prevents IT issues from becoming big business problems. Large enterprises, small workgroups, and innovative DevOps teams rely on its proactive issue resolution service to maintain operational visibility and control in today's highly-fragmented IT environment. xMatters provides toolchain integrations to hundreds of IT management, security and DevOps tools. xMatters is the ...
If you are part of the cloud development community, you certainly know about “serverless computing,” almost a misnomer. Because it implies there are no servers which is untrue. However the servers are hidden from the developers. This model eliminates operational complexity and increases developer productivity. We came from monolithic computing to client-server to services to microservices to the serverless model. In other words, our systems have slowly “dissolved” from monolithic to function-...
CoreOS extends CoreOS Tectonic, the enterprise Kubernetes solution, from AWS and bare metal to more environments, including preview availability for Microsoft Azure and OpenStack. CoreOS has also extended its container image registry, Quay, so that it can manage and store complete Kubernetes applications, which are composed of images along with configuration files. Quay now delivers a first-of-its-kind Kubernetes Application Registry that with this release is also integrated with Kubernetes Helm...