Thoughts from the Sony Breach

Sony has made big headlines – for all the wrong reasons – for having sensitive company data stolen and posted online in late November. (For full details, I’d recommend WIRED’s “Sony Got Hacked Hard: What We Know and Don’t Know So Far.”)

The event has sparked a lot of debate as to the source of the attack and how it was achieved, with the conversation now expanding to legal concerns and calls to media to stop publishing hacked documents. I certainly don’t know all the facts (and probably never will), but I do know that this was a catastrophic attack for Sony Pictures. It reminds us that any infrastructure is vulnerable to a well-funded, determined attacker.

Whenever breaches get sensationalized and garner the attention of seemingly every publication imaginable, I tend to think about some basic security strategies companies could use to help avoid these incidents.

Here are a few of them:

Keyboard -  blue key Access 1. The Employee is the Perimeter: Traditional security approaches have focused on establishing firewall perimeters and then architecting layers of security applications and endpoints inside to segment users and data. The rapid adoption of cloud and mobile is aggressively challenging this model, and in doing so, moving the security conversation to a newer model that focuses on assuming critical data is in the hands of employees on mobile devices. It’s important to understand that users must access that data on their laptops, tablets, and smartphones. From here, companies can work backwards and determine the controls, policies and technologies necessary to protect that data, regardless of the device and user’s location. This is a much different paradigm from which to work. Many of the hybrid infrastructure approaches that combine best-of-breed cloud solutions with established infrastructures allow companies to focus on maximizing the security of user identities and data rather than just devices and infrastructure.

2. Devalue the Data: Make that critical data on an arbitrary device of little value. This is simple in concept, but much harder in practice. It means architecting controls and technology systems that make it economically infeasible for hackers to go after critical data. This goes further than just segmenting data according to classification or who has access. Consider identity- and authorization-based encryption mechanisms so that even if a hacker identifies one variable, it almost impossible to get at the aggregate. What companies must remember is that the value of the data goes up exponentially as the ease of access to it does. Encrypting and segmenting data based on a number of different criteria across thousands of employees across the globe and multiple devices per employee, not to mention growing audiences of partners or freelancers that need access to sensitive data, is hardly easy, but a necessary strategy in minimizing risk.

3. Recognize Strengths and Weaknesses: Think about Sony Pictures again. They are in the business of making movies; they’re not a security company. Enterprises need to recognize what they’re good at – and what they’re not. Just because you’ve locked up sensitive data on a server behind your firewall doesn’t mean it’s necessarily safe and secure. Don’t expect to build some proprietary software and expect it to be bulletproof. Likewise, installing on-premise security appliances requires a lot of maintenance and management responsibilities – i.e. adding staff members with the expertise to perform those duties. As a result, enterprises are fast realizing that leveraging managed services, and even security-as-a-service solutions, not only helps devalue data, but also enables more sophisticated data segmentation and creates solutions that are better than what they can build or manage on their own.

No one wants to be “that” company. And given what's happened in the last few months, it's hard to argue that any business – no matter their investment or infrastructure – could withstand a breach from a well-funded, determined attacker. But, at the same time, there are a number of different strategies companies can take to minimize risk and keep themselves out of the limelight.