Saturday, December 10, 2016

Security threats: The real Authorization level of the CEO's Secretary

Few years ago I watched a bank's branch working process.
Senior Bankers received a digital card which should be passed prior to executing operations requiring higher level of Authorization. 

Other bankers has lower Authorization level. They did not receive these cards. They are prohibited from executing high level authorized operations.

The Computerized Branch systems were built according to the defined Authorization levels. However, Senior Bankers were busy. When another banker asked a senior banker to perform an operation very often he gave him his digital card instead of executing the operation and asked him to execute the operation behalf of the Senior and Busy Banker.

The real Authorization system was different from the formal analyzed, designed and developed systems.

The real system authorized every banker to execute most operations.

The formal system limited Authorization of non-Senior Bankers.

This kind of dissonance between implemented systems and real life systems is very common in other verticals as well as well as in other banks.

The most confident Business data and Reports
It includes data about Strategy, New R and D and new Products, Plans and reports and data summarizing overall Business Performance.

If such data will leak competitors could gain and the company's Business Results could be worse than the Results achieved if the data would not leak.

Naturally, only Top Management team members are authorized to access this data.
However, Top Managers are even busier than Senior Bankers.
They will do exactly what the Senior Bankers depicted in the previous section did:
They will give authorization to their Secretaries.

The real Authorization system is again different from the planned Authorization system.
Are the over authorized secretaries a bigger Security threat than the Top Management?


The Top Managers
A Top Manager can benefit a lot from not breaching Security by exposing or selling confidential data.
His salary is high and he may receive high bonus as well. 

If he will sell confidential data to a competitor he may lose everything: No more high salary and high bonus but more than this: no other company will ever employ him as a manager.

The probability that CEO or other top manager will sell the most important confidential data to a competitor is extremely low.

It is reasonable that he is aware of the potential risk of exposing such data unintentionally to people who are not authorized to access it and avoid of that risk. 


The Secretaries
A Secretary selling confidential data can lose less and win more than a Manager.

Her salary is far from being a high salary. She does not expect, and probably will never get, high bonus.

She may operate a little shop or other type of small business instead of working as a secretary. 

The probability that she will breach Security and deliver intentionally confidential data is low, but it is significantly higher than the probability that a Top Manager will do it. 

As far as exposing a printed report unintentionally is concerned, I am not so sure that the probability that a Manager's Secretary will do it is low.

It is all about Security Awareness. The Manager should be more aware and probably the Security team will periodically remind him of the Security requirements due to the high formal authorization granted to him.



 



      

Public Cloud Core Banking: Hype or Reality? - Revisited

  More than 4 years ago I was asked if Public Cloud Core Banking is a Hype or a Short Term Reality? If you had read the post, you would prob...