I get the weekend edition of the Minneapolis Star Tribune paper and read an article that I found very intriguing. It wasn’t from the core issue that the article was talking about but the point was missed on where the real problem is.
The article was written by Eric Roper @StribRoper and is titled Misuse of Minnesota drivers’ records is relatively common.
You can read the full article here.
Putting on my IT security hat (do I ever take it off?) I am going to point out some gaps and show what the real problem is at the State of Minnesota. I am sure this problem exists is other places as well, but the article was focused on the State of Minnesota I am not picking on them, although it’s sad my tax dollars are not being properly used to protect my data.
First off the title of the article is not what the article is really about. It should be titled The State of Minnesota Lacks Proper Access Management and Activity Monitoring To Citizens’ Data. That’s the real issue here, it’s not that government workers are looking up data on people and celebrities, but they have all the access in the world to do so unchecked.
“In the last two years, audits have revealed that about 160 individuals, mostly in government agencies, have improperly used Minnesota’s Driver and Vehicle Services (DVS) database.“
The article says that they discovered the improper use… but over two years. Not really on top of it and it’s a detective audit meaning search after the violation has occurred. Nothing preventative exists or is in place to stop it before it happens.
“This makes my blood boil. It just seems like it’s a perpetual problem,” said Rep. Mary Liz Holberg, R-Lakeville, who often handles data issues at the Legislature. “If we’re building new computer systems, which supposedly we are, we shouldn’t be having these issues.”
The State of Minnesota may very well be implementing a new database system, upgrading equipment, working on speed, but I can assure you that improving a broken access management and monitoring system wasn’t part of the plan. New doesn’t mean better all the time.
“The department conducts monthly audits of the top 50 most active users, while also following up on agency requests and outside complaints. Bruce Gordon, a spokesman for the department, said his agency is developing a method of performing randomized audits.“
So if you are a light violator then you are in the clear because only large quantities are the concerns, not the small peeks. Bruce Gordan, the spokesman for the department, made a statement that tells me they are working on expanding auditing and not on preventing it to begin with.
The rest of the article goes on and on about other examples of misuse, account sharing, and really shows the lack of access management and control the State of Minnesota has around the federally protected Driver and Vehicle Service’s Database. Their “fix” to address this problem is to get better auditing to find violators but I didn’t see anything where anyone said they were going to address the free access people have in the first place.
Here’s what I would do, aside from a full Enterprise Access Management and DLP implementation.
- Supervisors get query counts for all their employees daily activity. If they have 1,000 one day, the manager can question it that day, not two years later in an audit search that may not find it.
- Tie the names queried to the names they were working on.
- Re-design the database to not allow free searches from any user at any time. Lock it down over night to users that only work during the day. Why is is wide open? Development costs to build that still look cheaper than this security problem? Hmm?
- If there is a reason to search then there must be a Service Ticket #, Call #, Issue #, or some other activity tracking that requires a database search. Force users to enter that ticket number before they can search. If you search with out a ticket #, red flags go up.
- Does every user need to access every piece of data in their search? I assume when they search a user they get everything, but does a clerk in some random office need to see driving records when they are just validating identity?
- Two factor authentication to stop account sharing.
This bothers me to the extreme. We, the private sector, should be taking not on how the government protects their data. I can tell you I would never build a critical system like this, no company with a security department would allow this free reign. Ironically it’s the governments conducting and dictating standards like HIPAA and FFIEC yet they can’t lock down a database from excessive searches because they don’t have a “Need to Access Only” policy and implementation in place.
Two years of misuse… that they found.
End of line.
UPDATE – Strange coincidence that the evening I posted this the local news had a report of a woman receiving over $600,000 in payout from various police departments for unlawful lookups to her DVS data. $600,000 can go a long way to fix the access problem. Auditing after the fact won’t stop the act… or the money in damages paid out. http://www.myfoxtwincities.com/story/19841736/anne-marie-rasmusson-privacy-settlement
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.