If you haven’t heard or read about the Panama Papers data leak over the last few days, you’ve either been on a remote island in the South Pacific or you’ve had your head in the clouds. The data breach of law firm, Mossack Fonseca, where a multitude of documents were leaked to a reporter in Germany, and subsequently investigated by a consortium of journalists, is without doubt the largest whistle-blowing episode in recent history.
What makes the data breach all the more newsworthy is that the documents implicate leaders, political figures, their associates and their families worldwide; there are certainly some embarrassed faces on our TV screens and in our newspapers at the moment! Whilst at the moment it is only a series of allegations, and not that establishing offshore companies is illegal, it isn’t, it is the implication that the rich and powerful are using offshore accounts as tax havens that is causing such a stir.
But let’s take it back a bit; the leaked information of emails, databases, documents, financial spreadsheets, corporate records, etc. contained as much as 40 years of data from the law firm. Many of these documents were encrypted internal documents and sophisticated encryption tools were needed to open these documents. Mossack Fonseca probably believed that by encrypting their internal data they would be safe from cyber hacking; obviously not, which leads one to ask ‘What happened to Privileged Access Management?
Surely information that is highly sensitive needs to be controlled and only handled by users that have been granted special, or privileged, access. Is it not irresponsible of Mossack Fonseca to allow any member of their staff to be able to access such confidential accounts?
A Privileged Access Management (PAM) policy and the use of super-user accounts within the law firm’s IT environment may have potentially helped to prevent the breach. It may have ensured that not only would the relevant authentication and password requirements are needed by those authorised to access those specific accounts, but there is the capability to provision and audit user access, thereby highlighting a breach internally before it ever gets as far as the press. User accounts that are unmanaged and unaudited can lead to data theft and the loss of sensitive corporate information, and that have far-reaching repercussions, as is the case with the Panama Papers.
Many organisations today are finding that a simple identity management solution is not enough when handling information of such a highly confidential nature, and it doesn’t deliver the control required to monitor access to that information. With the increased level of cyber attacks being experienced, the implementation of a PAM solution is providing an increased level of security, establishing tools and processes to management super user accounts.
Privileged Access Management is becoming increasingly important for organisations and businesses today as they are finding that traditional security measures are not always robust enough to prevent internal data breaches. The creation of super-user accounts and privileged accounts helps to automatically prevent internal cyber attacks.
ZONE SE7EN has identified PAM as a key element of any security measures being implemented and our forthcoming Privileged Access Management live Roundtable event on 19th April 2016 will delve deeper into why PAM and super-user accounts are needed, how they can help meet compliance and regulatory requirements, and protect your business or organisation from the inside out.
Key speakers include Jackson Shaw from Dell Security alongside Joseph Carson from Thycotic who sees controlling privileged user accounts as a security priority and asks, Is it in your policy? Is it internally enforced? We also welcome analyst Bob Tarzey from Quocirca and Amar Singh from the Cyber Management Alliance.
Amar Singh commented: “There is none other more powerful than the privileged insider who often holds the master keys to all if not most of the Crown jewels.”
Bob Tarzey added: “Be it insiders or outsiders, the result of privilege abuse will be business disruption and/or data leaks.”
Some of the topics to be covered by the event will include why the management of privileged user accounts is so important and the risks of unmanaged super-user accounts, preventing potential data breaches and dealing with targeted accounts, how current identity access management solutions are being enhanced to allow the effective management of privileged identity user accounts, and the benefits of creating powerful privileged user accounts to an organisation or business.
Whether a PAM solution would have prevented the data leak at Mossack Fonseca or not remains to be seen and no doubt this is a lesson to be learned by law firms, and equally by all organisations worldwide.
To learn more about Privileged Access Management and how it can help protect your organisation, view ZONE SE7EN’s Privileged Access Management event taking place on 25th May 2016, and register via ZONE SE7EN’s Insight Zone.