The extraordinary thing about the current Wikileaks news is that the documents were obtained by someone with relatively low level privileges. In fact, almost all of the documents that seem to turn up on sites like Wikileaks were obtained by people who in the lower echelons of their organization.
The scale of the Wikileaks information dump indicates a profound failure in the application of security using Access Control Lists (ACL). The form of ACL that most people reading this article will be familiar with is NTFS and Shared folder permissions. One thing I’ve noticed as both a trainer and as an author is that a lot of experienced people fundamentally misunderstand how permissions work, especially when you combine NTFS with Shared Folder permissions. When you get to the stage of having to work out permissions through memberships of nested groups at both levels, what you generally end up with is an administrator who is flummoxed. Which is why in all probability (though I can’t say for sure), the reason that the people who obtained the documents that later leaked were able to do so was that the security permissions that protected those documents weren’t properly applied. And if they, in theory, aren’t properly applied at places like the US Military or State Department, what are the chances that they are properly applied at the place where you work?
There is no perfect solution that ensures that documents that your organization wants kept secret cannot be leaked and posted on the internet. If someone who has legitimate access to a document wants to share it, there is a good chance that they’ll be able to do that. What you can do is ensure that low level people that should not have access to important documents don’t. A more reliable way of ensuring that the access that should be granted to the document is the access granted to the document is through technologies such as Active Directory Rights Management Services.
AD RMS is a technology that has been included with the Windows Server operating system since Server 2003 R2. To grossly simplify how AD RMS works - rather than assigning permissions to accounts on at the file level, you use digital rights management technology to configure rights at the document level. When you configure rights at the document level, it doesn’t matter what NTFS or Share permissions are assigned at the file level. Unless someone is given the right to open a document, they can’t open it. You can even block people from opening sensitive documents on computers outside the domain. These rights are enforced by applications and managed centrally through Active Directory. AD RMS allows you to revoke rights to a document once the document has been distributed should you so choose. You can also go further and segment a user’s rights so that one user might be able to read a document, but is unable to copy any aspect of that document (including taking a screenshot). You can also stop a user from printing a document. AD RMS also fully integrates with Exchange, so people can’t forward sensitive documents outside the organization unless they are explicitly given permission to do so. With AD RMS, you can’t open a document unless the application supports AD RMS. The document is essentially in an encrypted locked off state until someone who has the rights to open it does so with an application that can obtain a license to that document from the central AD RMS server. If the application doesn’t support AD RMS, the file is unreadable.
What this means from the perspective of stopping a Wikileaks type event is that if someone is surfing file shares at the organization and copying everything to which they have access to a local storage device they won’t be able to open those copied files unless they actually have been granted the right to do so. 250,000 files obtained from various file shares are pretty useless if you don’t have the ability to open any of them.
AD RMS does have the ability to perform license recovery so that an Administrator could recover a document that they haven’t been directly granted rights to, but this process can be secured and in the cases of the documents that are turning up in places like Wikileaks, it isn’t the sysadmins that are doing the leaking. At the moment rogue sysadmins aren’t the problem, but procedures can be put in place to lock them down as well.
AD RMS is a nifty technology that has been included with Windows Server operating systems for some time. As organizations become more aware of the perils of information leakage (and with the exposure wikileaks is getting, how can they not be aware of it?), they are going to want to look at solutions that minimize the possibility of an embarrassing data dump turning up on a public web site. AD RMS won’t prevent all information from leaking, but it will do a better job of stopping leaks than NTFS and Shared Folder permissions currently do.