Do large online software companies limit employee access to company information?

Question

I've been wondering about how large online software companies, specifically those based around a single massive product, like Google, Facebook, Yahoo, etc. handle the risk of terminated employees. Any employee with sufficient knowledge of internal security could potentially use this knowledge for vengeance against the company.

Obviously, any company that can't trust its employees has far deeper problems than simple security worries, but after running through scenarios it would seem that Google, Facebook, Yahoo, would have to limit what their employees know to what they need to know. An employee writing protocols to send data between servers obviously needs some dangerous information to do his job, but he doesn't need to know about the outer security. An employee working on anomaly detection is clearly involved in security, but doesn't need to know about how requests that make it through are processed. In other words, it would seem these companies adopt the same principles with their employees that they adopt with their code: principle of least privilege and no potential single point of failure.

Does Google, for example, restrict what their employees know to what they need to know? Is this industry standard?

Answer 1

The basic rules that the big companies follow aren't very much different from the rules/recommendations by popular infosec standards (e.g. ISO27k):

1. Segregation of duties - separation on services provisioning, development process, or any other part of IT services, so different people are responsible for the various components/stages of service delivery, development, provisioning, etc.

For example - one team is responsible for hosting/systems provisioning, another team is responsible for product development, a third team is responsible for storage/databases, etc.

Overall, no single person has access in a way that may lead to the whole process being compromised. However, this measure alone is not sufficient for obvious reasons (didn't help in the case of Ed Snowden).

2. Least privilege principle - as you already mentioned, any employee is provided with the minimum credentials necessary for them performing their duties.

This is another measure that on its own won't help completely eliminating the risk of ex-employees or current employees from compromising the integrity, confidentiality, or availability of the information (again, didn't help in the case of Ed Snowden).

3. Have good asset management program - know who has access to what. Having a current and clear picture of who has access to what can help in the next stage.

4. Account lifecycle - have processes in place that run when employees leave, ensuring their credentials are revoked.

5. Encrypt! And have a solid key management process.

6. Look after the intellectual property (IP) - as much as software patents are debatable, and lawyers aren't the people I'd like to rely on, having the company's IP secured definitely helps (patented, registered or otherwise copyrighted).

7. Background checks. Small businesses can't usually afford proper background checks, but the big ones definitely do their homework in this department.

8. Run a data leak prevention program (a mix of solutions, procedures and monitoring).

These are just some of the basics that would limit any potential risk of damage that an employee (or ex-employee) can cause by using their insider knowledge. You can't erase what employees know (e.g. system architecture, protocols, etc), however the folks that typically have access to the keys of the castle are not just starting their careers, so any potential traits that would make them less-than-trustworthy would show up during some of their previous employment cycles, or during their probation.

No organization can eliminate the risk completely, but following common sense approach, combined with strict adherence to infosec standards can save you a lot of trouble in the long run.

With regards to specific measures within large corporations, each one is a bit different, since there are substantial differences in their culture, in their governance and their general risk apetite. There's no silver bullet, and they still need a good incident management process to respond to whatever they have missed :-)