Professor tackles internal cybersecurity threats

Thursday, September 14, 2017

The biggest cybersecurity threat most organizations face doesn’t come from an anonymous hacker halfway around the world.

Instead, it’s someone within their own walls: a disgruntled employee who wants to wreak havoc, a “trusted” third-party contractor, or even a well-meaning worker inadvertently exposing the company to dangerous malware.

For smaller organizations, keeping sensitive material out of the wrong hands is a pretty straightforward process.

Controlling access is at the heart of cybersecurity threats

But companies with thousands of employees can’t avoid delegating authority and access to restricted files. So how do they safeguard sensitive material from internal breaches?

Mahesh Tripunitara loves sinking his teeth into these kinds of big, complex questions.

After working in industry for nine years, the electrical and computer engineering professor was lured to the University of Waterloo in 2009 by the opportunity to tackle tough challenges with a team of talented graduate students. Addressing cybersecurity insider threats certainly falls in that category.

“We don’t do things that are easy,” says Tripunitara.

His team started by assessing whether it’s theoretically possible to create a truly secure access and authorization system: one that gives each employee access to the specific resources they need, but prevents them from colluding with other users to tap into unauthorized files.

“Just because you have a problem doesn’t mean you can write a program,” Tripunitara points out.

And even if you can theoretically create an algorithm to solve that problem, you need to make sure it will work from a practical perspective. After all, there’s no point in developing software that grinds operations to a halt or falls apart if a key employee is out of commission.

A number of researchers have categorized the so-called “user authorization query problem” as intractable, but that didn’t deter Tripunitara.

By treating it as a joint optimization problem, he and his students were able to transform it into a solvable problem. Not only that, they pinpointed existing algorithms that could be applied, giving enterprises usable tools to strengthen their authorization and access systems.

Waterloo attracts the ‘cream of the crop’ in academic excellence

Tripunitara describes his work as bridging the gap between theory and practice. That often means assessing how commercial software stacks up.

A few years ago, he and his team tested the authorization systems of Oracle’s Database Management system — a program used by millions of customers around the world — and uncovered a flaw that affected a fundamental component.

Tripunitara shrugs off the achievement, dismissing it as “low-hanging fruit.”

“When somebody like me and my students who have expertise go in and we look at things in a systematic way… it’s very easy for us to find issues,” he says.

Indeed, working with a talented bunch of graduates and undergraduates is his favourite part of the job. He credits Canada’s educational system with producing outstanding students – and notes that Waterloo Engineering attracts the cream of the crop.

“They are fantastic,” Tripunitara says. “I’m very lucky to be at Waterloo.”