What these two incidents point is that many organizations need to seriously address the issues of how to protect sensitive data, and how to control privileged access to systems. Simply encrypting sensitive data is of little use if those who manage the systems where the data is kept have uncontrolled access. Conversely, protecting the privileged password is all well and good but if the user can access highly confidential data, without leaving any trace, after gaining access to the password then it defeats one of the major purposes of protecting privileged accounts.

For example, the Payment Card Industry (PCI) standard requires the protection of stored cardholder data, and restricting access to cardholder data by business need-to-know. SOX mandates that corporate management take responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. In other words, if you are staff are able to have unauthorized access to sensitive data once they have access to a privileged password then you’re only addressing half the problem.


That two major companies have made headlines is more an indication of the overall state of data security within organizations. No one would deny that both organisations have the means to deploy the best technology, the problem I would suggest is that they both appear to have placed to much trust in the integrity of staff, and where overly dependent on staff carrying out their responsibilities effectively. Despite the fact that the buck stops at the top, the first people who should come under serious scrutiny are the senior security staff whose job it is to ensure that these incidents do not happen.

Passwords – Protecting the Key

Passwords remain the primary key used to unlock access to business-technology systems. Passwords need to have limited use-life. System-level passwords, such as those used to gain access to networking equipment and server/application administration need to be changed regularly, and in some cases should be “one-time-only”. All privileged or “super” user passwords should be centrally maintained and managed. Basic employee passwords used to access business applications, computers, e-mail accounts etc., should be similarly recycled regularly. Despite widespread knowledge of sound password policy, many organizations still fail to adequately create, manage, and retire their usernames and passwords effectively.