Look who has access to your email

Computerworld - At a time when external hacks are grabbing headlines, frequently unreported internal security breaches involving low-level administrators accessing high-level executive e-mail and other systems are driving efforts to limit access to only the most highly trusted personnel.

Although the internal access problem is well known, strategies for resolving it are being formulated by a surprisingly small number of companies, which are largely seeking out encryption technology from a handful of IT vendors. And while those products are helpful, they do not reveal how many systems administrators, database administrators, storage administrators and upper-echelon "super users" are accessing sensitive executive information.

Asked how many employees typically have access to sensitive data, such as executive e-mail or personal customer information, veteran data storage professional Warren Avery facetiously replies, "How many system administrators do you have in the company?

"I'm a firm believer that all these companies are spending their money to keep the foxes out of the henhouse, but a lot of times, the foxes are already there," says Avery, president of Promethean Data Solutions Inc., a Phoenix-based firm that compiles articles for its "IT Weekly Newsletter."

Despite the insider security threat, Jon Oltsik, an analyst at Enterprise Strategy Group Inc. in Milford, Mass., says only "a very small percentage" of companies rely on anything in addition to internal access control lists when it comes to limiting entry to not only high-level e-mail, but network-attached storage (NAS) and Fibre Channel networks. He further maintains that in a company of 1,500 employees, there might typically be five to 10 administrators with executive-level access to information.

Passing on encryption

Encrypting internal data on disk systems is viewed as one viable way of protecting sensitive data, but both Avery and Oltsik say very few companies use this solution.

According to Ralf Saykiewicz, managing partner at XaHertz Consulting in Orlando, only very large companies, such as Target Corp., Wal-Mart Stores Inc., Accenture Ltd. and IBM Global Services practice this strategy. Saykiewicz says that in a multinational company of 15,000 employees, 20 to 30 people at headquarters alone would have high-level data access.

Hanging a price tag on the development of a secure internal IT infrastructure is an inexact science at best, but price tags would likely range from $100,000 to $1 million, according to analysts. "I'd probably say you're looking at a million bucks or so," Avery says, pointing to the costs of hardware, software and salaries. Adds Saykiewicz, "I would give you a very ballpark figure of between $100,000 and a quarter million dollars. You need to put in the consulting time, and you need to put in the software."