The sensational revelations of the inside action of international diplomacy are still being revealed by WikiLeaks, which has access to a stash of about a quarter million of secret diplomatic messages between the State department and the U.S. embassies around the world. Of course, the revelations caused a red faced State department to fulminate about violations of national security by Wikileaks.
The State department has just unveiled the cloak of mystery regarding exactly how the secret messages were accessed and passed on to Wikileaks – turns out that the messages were wrongly stored in a database accessible to all military persons worldwide. It sure is amazing that in today’s highly security conscious world of IT operations, the State department allowed just about anybody to access the trove of so many highly sensitive documents.
One State department official said: “It wasn’t clear what was to be shared or not shared”. In one simple sentence, the official unwittingly let on that the State department didn’t have any authorization policies in place for the database (called Net-Centric), which is accessible to all and sundry in the armed forces. This case shows once again the enormous importance of having sophisticated identity and access management policies, to prevent unauthorized folks from accessing data they aren’t supposed to be privy to. A proper identity management system based on a role backed access (RBAC) system could’ve easily prevented the entire fiasco.
In addition to a formal role based identity and access management system, a solid auditing policy would also have prevented to the long term unauthorized access to the sensitive documents. It seems that more than a political or diplomatic failure, this was more a failure on part of the guardians of the State department databases to adequately protect their sensitive information. As of now, State department officials have cut off external access to the Net-Centric Diplomacy database (probably located in the Pentagon), pending a review. The leaked papers where downloaded from a computer terminal in Kuwait and forwarded to WikiLeaks.