In case anyone is wondering how data activity monitoring is supposed to work, the recent passport file breaches are a classic example. With both Senators Clinton and Obama, the breaches were detected because the computer system detected file access out of the norm. We do not have details on whether this norm was based on who they were, or based on pattern of access. The important point is that the systems caught unusual access, probably in real-time – apparently on January 9, February 21, and March 14 in three separate incidents.

Usually enterprises lead security and IT innovation and the government follows. Here, for once, enterprises can take a lesson from the government. Enterprise databases are notorious for not being monitored. It is commonly believed that data breaches (such as TJX, Monster, Hannaford, etc.) are vastly underreported because we do not monitor how data is being accessed. If only enterprise databases were wired with data activity monitoring, we would find out how many critical breaches really happen.

Regardless of the political fallout of the passport breach incident, I do see a valuable technical lesson in security for enterprises.