By Ondrej Krehel, Identity Theft 911
There’s been a lot of commentary and gotcha-style journalism surrounding the Sony data breach, but not much constructive criticism.
Yes, the breach could have easily been prevented. Had Sony enabled fairly standard firewall technology and kept its systems up-to-date with the latest patches, none of this most likely would have happened.
Since most of us have enabled firewalls on our personal computers and are aware of the risks if we don’t, Sony’s mistake immediately smacks of foolishness. But setting up protection for a network of 100 million users is a little different than protecting the Mac in your living room.
Sony’s breach is a valuable lesson for many organizations considering a transition to the cloud. Already the media is reporting that businesses are rethinking it. And that’s a good thing.
Any transition from one kind of data system to another needs serious thought. That’s the Sony lesson: Migrating data from a traditional system to a new technology must be done very carefully. Shifting from classical to cloud isn’t as easy as the snappy alliteration makes it seem.
Whatever move your data is making, you must ensure all relevant security measures are enabled. If the servers are connected to the Internet, yes Sir Howard Stringer, you need a firewall. But even if it isn’t, you need to ask questions such as, What information is guarded? How is it guarded? What is the scalability, and how can it be exploited? How do we know that someone is after our data?
The second lesson we can learn here is the rule of maximum leverage. Leverage all security elements to maximum potential. Businesses of all sizes have a patch management policy, most likely executed by an inside professional security team. It would have been to Sony’s benefit to have such a functioning policy in place, and, with 100 million users, to make sure it’s as rigorous as possible, with tight control on its execution.
We often use words like “robust,” “comprehensive,” and “strong” to describe security programs. Nice as that may sound, security isn’t only about the strength of a system, but about the mindset of the people working it. Have they asked all the questions? Have they covered all their bases? Whenever data is transitioned someone needs to know enough to ask the right questions. The human element is the most important security element. It is human creativity that pushes technology to its maximum functionality. Security needs a vision and strong ruler fully supported by executive management. After all, someone has to flip that firewall switch.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.
3 Responses
Leave a Reply
[...] Game Over: Cloud Computing and the Sony Breach [...]
Ondrej,
All things considered, there were a few minor faux pas and a few major ones at Sony. Too many large companies just give lip service to information security. The CISO is just the guy or gal that gums up the works, slows everything down and creates the network bottleneck that everyone complains about. They are the red-headed stepchildren of the IT world. That is, until there is an intrusion and then the director of IT or CIO seeks out that CISO and wants to know how this could have possibly happened. That is if there is a CISO or even anyone on staff that understands Information Security.
In Texas, we call that closing the gate after the horses got out. Too often, the budget for network security is minimal until an intrusion occurs. But as we know, a few thousand spent now could save a few million spent later. And the price doesn’t include the cost to customer confidence, the loss of which can’t be easily replaced.
In Sony’s case, it seems that their security hasn’t been up to standard for quite a while and it wasn’t until their transition to the Cloud that it became a huge problem that will end up costing them hundreds of millions of dollars.
Just recently in the news, we’ve heard of many more intrusions of major corporations. The IS and IT managers shouldn’t be in competition with each other, they should be partners in the protection and efficiency of a company’s greatest asset… its information.
[...] ask crafters who shop at Michael’s Stores, Sony PlayStation Network gamers and investors at Morgan Stanley Smith [...]