Why Identity-based Security Fails Against the Insider
On February 20, 2026, the Department of Justice unsealed an indictment against three former Silicon Valley engineers — two from Google, one tied to Qualcomm — charged with stealing processor security documents, cryptographic trade secrets, and Snapdragon SoC hardware architecture. Some of it ended up in Iran.
Read that again: not stolen by an outside attacker, and not extracted through a vulnerability. Stolen by people with authorized credentials, on company hardware, during normal working hours.
This is the insider threat problem in its most precise, documented form. And it exposes a structural failure that no firewall, no SIEM, and no background check was built to stop.
It also highlights the growing vendor risk problem: rogue employees at cloud and SaaS providers can, in many cases, maliciously access customer data because they sit 'behind' your identity perimeter.
🛡️ Is Your Most Sensitive Data Protected at the File Level, or Just at the Perimeter?
Most organizations discover the gap after the documents are already gone. Theodosiana's file-centric security model ensures your files are self-defending, regardless of who holds them.
What Actually Happened: The Indictment Facts.
Samaneh Ghandali, a Google engineer, allegedly transferred hundreds of internal files, including trade secrets covering cryptography and processor security, to a third-party communications platform, routing them to channels tied to the defendants. Her sister, Soroor Ghandali, did the same across multiple tech firms.
The night before the pair traveled to Iran in December 2023, co-conspirator Mohammadjavad Khosravi photographed his own Qualcomm work screen, capturing Snapdragon SoC hardware architecture. Those photographs were accessed from Iranian devices during the trip.
These weren't stolen in a midnight attack. They were taken during business hours, through a messaging platform, by people whose access logs said "authorized."
To cover their tracks, the defendants submitted false affidavits to the victim companies, deleted device records, and researched how long mobile carriers retain message data. Google eventually detected the theft through routine security monitoring and referred the case to law enforcement.
By that point, the documents were already in Iran.
The Critical Difference Between Document Theft and a Database Breach
Most enterprise security is optimized for the wrong threat model. It is built to stop an attacker who exploits a vulnerability, pivots through the network, and exfiltrates records from a database. That's a legitimate threat. It is not the threat that took Google's cryptographic IP to Tehran.
Document exfiltration is different in every material way.
The access is legitimate. The attacker is already authorized and inside. There's no anomalous login, no unusual source IP, no exploit to detect.
The data is pure Intellectual Property (IP). A database record is just a field value. A stolen document—a hardware schematic, a cryptographic methodology, or an R&D blueprint—is a contextual asset that carries the narrative and strategic intelligence of your company. The detection window is wider. Anomalous query volumes trigger alerts. A credentialed engineer downloading files they're entitled to access? That looks identical to a normal workday.
The damage is permanent. You can rotate a compromised credential. You can cancel a stolen credit card. You cannot un-share a processor architecture once it exists on a device in Tehran.
Document Exfiltration vs. Standard Database Breach
| Factor | Database Breach | Document Exfiltration |
|---|---|---|
| Access type | Unauthorized attacker exploits a vulnerability | Authorized insider uses legitimate credentials |
| What is stolen | Structure records: PII, credentials, payment data | IP-heavy discrete files: schematics, blueprints, cryptographic methodologies |
| Design signal | Anomalous query volume, unusual egress patterns | Credentialed file access — often indistinguishable from normal behavior |
| Strategic value | Volumetric — value is in scale (millions of records) | Singular — one document can contain irreplaceable IP |
| Reversibility | Credentials rotated, cards cancelled | Cannot unshare a processor architecture once it reaches Tehran |
| Who did it | External threat actor | Trusted employee, on company hardware, during business hours |
Why "Trusting the Engineer" Is a Broken Security Model
Identity-based access control answers one question: Is this person authorized to be here?
It does not answer the question that matters: Should this file leave its authorized context — regardless of who is carrying it?
The engineers at the center of this indictment passed every identity check in the model. They were credentialed. They were cleared. And on the night before a flight to Tehran, that trust became the attack vector.
This is the architectural flaw. Not in Google's implementation — Google detected the theft and acted. The flaw is in the model itself: identity-based security assumes that verified access equals reliable stewardship. The moment that assumption breaks — and for any organization at scale, it eventually breaks — the document is defenseless.
One month before this indictment, another former Google engineer, Linwei Ding, was convicted of stealing thousands of confidential documents to build a startup in China. Two cases. One month. Same company. Same method: legitimate access, document exfiltration, foreign intelligence involvement.
To reiterate, this is not a Google problem. It is an architecture problem.
Traditional Security vs. Theodosiana
| Threat Action | Traditional Security (Google's posture) | Theodosiana Approach |
|---|---|---|
| Legitimate user opens file | Access granted based on ID | Access granted only if context (time, behavior, location) is normal |
| Moving file to private cloud | Might trigger an alert (DLP) | The file stays encrypted; it is useless without the live key |
| Sudden bulk access | Often missed until audit | Drops the gate based on anomalous behavior |
What Data-Centric Security Changes
In a data-centric security model, protection travels with the file, not with the perimeter around it. The document becomes its own defense.
This means four concrete capabilities that identity-based models cannot provide:
File-level encryption: The document is encrypted independent of where it sits, on a work laptop, a personal device, a third-party messaging platform, or a device in Tehran. The encryption is not contingent on the network perimeter remaining intact.
Contextual policy-bound access: Even if the file is exfiltrated, it cannot be opened without satisfying the access policy that the originating organization controls. The authorization context stays with the issuer, not with the person who copied the file.
Persistent audit trail: Every access attempt, inside or outside the perimeter, is logged. Not just "this file was downloaded," but who attempted access, from which device and location, at what time, and whether the policy was honored. This is the early-warning signal that routine perimeter monitoring misses.
Retroactive revocation: When an employee is terminated or their access is flagged, every policy-bound document they have ever touched becomes inaccessible, even files that are no longer on the company infrastructure. This is not possible in any perimeter-only or identity-only model.
None of this is theoretical. This is the architecture Theodosiana deploys for defense supply chains and other highly regulated organizations.
The Insider Threat Is Not the Anomaly. It Is the Risk Calculus.
Every CISO reading this indictment should ask one question: not "could this happen to us?" — the answer to that is already yes. The question is: "When it happens, does our data defend itself?"
If the answer depends on trusting every person who has ever accessed a sensitive file, the architecture has already failed. The data needs to be the last line of defense, not the people around it.
🔒 Your Data Should Defend Itself, Even From the Inside!
Most organizations discover the gap after the documents are already gone. Theodosiana's file-centric security model ensures your files are self-defending, regardless of who holds them.
FAQs: Insider Threat Document Security
How does file-level encryption differ from standard enterprise DRM?
Traditional DRM controls access at the application or storage layer — it depends on a managed environment to enforce rules. File-level encryption, as used in Theodosiana's architecture, embeds the protection directly into the file itself. The policy travels with the document regardless of where it moves — including to third-party platforms, personal devices, or networks outside your perimeter. The enforcement is not contingent on your systems remaining in the loop.
Can file-centric security prevent the kind of exfiltration seen in the Google indictment?
Yes, in two critical ways. First, files transferred to a third-party messaging platform remain encrypted and policy-bound. Even if the recipient accesses the file, the originating organization's policy governs whether it can be opened. Second, every access attempt, successful or blocked, generates an audit event. This creates a detection capability that triggers on policy violations, not just anomalous network traffic. You see the attempt before the damage compounds.
What types of files carry the highest insider threat risk?
The highest-risk documents are those with strategic value outside their organizational context: hardware schematics, cryptographic research, ITAR-controlled technical data, M&A materials, and R&D blueprints. These are precisely the categories stolen in the Google case, not PII, not financial records, but documents whose value is their intellectual content. One file can contain years of competitive advantage.
How does Theodosiana handle access revocation if an employee has already exfiltrated files?
Theodosiana's policy engine maintains control over documents regardless of where they reside. When an employee's credentials are revoked, access to all policy-bound documents is simultaneously terminated, including documents on personal devices or external platforms. This retroactive revocation is not possible in perimeter-based or identity-only models, which lose control the moment the file leaves managed infrastructure.
Does data-centric security replace Zero Trust, or work alongside it?
It complements Zero Trust Architecture. Zero Trust eliminates implicit trust at the network layer. Data-Centric Security eliminates implicit trust at the document layer. Together, they create a defense posture where neither network position nor employee authorization alone determines what data can leave and where it can go. Theodosiana is designed to integrate with existing Zero Trust frameworks, adding the document layer that most Zero Trust implementations do not include.
Is this level of file control realistic for a mid-sized defense subcontractor?
This is precisely the market Theodosiana is built for. Large defense primes have dedicated teams to manage complex deployments. Theodosiana's architecture gives Tier 2 and Tier 3 subcontractors the same file-level protection without requiring a full security operations center to run it. The goal is protection that scales down without complexity that scales up.
What should a CISO do immediately after reading about this indictment?
Start with a document audit: identify which of your most sensitive files — technical IP, contract documents, compliance records — are protected only by access controls, and which carry file-level encryption. If the answer is that most protection lives at the access layer, your risk profile mirrors Google's. The next step is a Data Leak Path Audit to map the gap between your current posture and one where the documents defend themselves.