Encrypting Internal Traffic Is No Defense Against Unauthorized Privileged Access

Privileged Identity Management Podcast

This week Yahoo made a media splash by announcing plans to encrypt all internal network traffic in response to the National Security Agency (NSA) leaks by Edward Snowden.

I hope that Yahoo staff isn’t so naive as to think that encrypting traffic on their internal network is going to address the “Snowden Bug”. If they are, then good luck Yahoo!

The fundamental weakness that Snowden exposed was the ability to use highly privileged accounts to gain access to systems that stored confidential data. Encrypting traffic is pointless if you’re not controlling privileged access and putting the essential checks and balances in place against insider threats.

It’s kind of like saying that because I’m on the surface of the English Channel and can’t see the channel tunnel, there isn’t a train. Everybody on the train will clearly have a different viewpoint. Or, you might as well decide that you’ll make airplanes bomb proof and eliminate security checks at airports. Once the bomb is in, the damage is done.

Snowden wasn’t some cryptographic genius, but rather a systems operator who managed to use his privileged access, and the access of those gullible enough to share their privileges with him, to gain higher privilege and more access. In fact, he’s the same person in a Yahoo world who would be setting up the encryption to encrypt all internal traffic.

I think the NSA and GCHQ will be trying to contain their laughter while appearing grave-faced in front of the cameras to applaud the steps Yahoo is taking. Oh how some encryption companies must be falling over themselves to sell Yahoo more crypto software.

I’m sure that if Yahoo CEO Marissa Mayer looked in the cupboards at Yahoo, she’ll no doubt find a stack of “Shelfware” crypto that never made it to production. Save yourself the effort dear and instead go hire some people who know what they’re doing!

What’s your opinion on encrypting internal traffic as defense against insider threats like Edward Snowden? Leave a comment below.

You can also follow us on Twitter.

1 Comment on "Encrypting Internal Traffic Is No Defense Against Unauthorized Privileged Access"

  1. What you say is true, but it’s not an argument against encrypting internal traffic.

Leave a comment

Your email address will not be published.