There were hundreds of data breaches last year but Sony Pictures won the prize for the most publicity received by a hack. Mostly that publicity came about because Dennis Rodman’s friends got to watch The Interview before any of us. Like the President of the United States said, we can’t tolerate that. We must prevent such cyber-attacks.
But how?
According to the media coverage, most of the stolen data was in the form of structured data such as employee salaries and social security numbers but also emails, documents, movie scripts, and video files – even entire full-feature movies. Over 100 terabytes of data have been allegedly stolen and a lot of it was unstructured data, content. From the little information we have about the hack, no ECM system was in place and the content was stolen from servers and employees computers running Windows. ECM has always been claiming to have the ability to ‘secure’ content, right?
So, would ECM have prevented the Sony hack?
Let’s assume that it really was a hack – a malicious data breach by external actors rather than an internal security leak. An Edward Snowden scenario would have been a whole different ball of wax. But if the bad guys came from the outside, could ECM have prevented the Sony hack?
ECM could have certainly helped by securely archiving the content files and email messages, keeping them off the user drives, and expunging them as their retention period expired. Culling the email volume would have reduced the number of sensitive and sometimes embarrassing emails that were hacked and exposed. It wouldn’t solve the problem entirely but it would have helped. Getting rid of unneeded and potentially compromising data is one of the best practices of information governance solutions based on ECM. Well organized ECM repository and processes would have kept at least some of the sensitive content off employees’ hard drives.
Next, let’s consider permissions. Many of the stolen files were allegedly swept off file servers, which likely had little or no permission control. An admin level access gives a hacker the master key to the vault. Permissions provided by an ECM system would make things much more difficult for the hackers. Sophisticated permissions often allow administrators or even curators to do their job without having the rights to access the content itself – no master key. That would have helped a lot.
How about security features? I’ll skip over the authentication, SSL, VPNs, and other perimeter security that is not specific to ECM – most ECM systems do this but so do other applications. I’m skipping over virus checker and malware detection for the same reason – those were clearly not in place or ineffective in the hack but they are outside the scope of ECM. By the way, a two-factor authentication and a good firewall would have helped too – chances are they had some of it and it was hacked.
The ECM specific security would include repository level encryption and possibly also file level encryption. The repository level encryption is big – many customers use it, it doesn’t burden the users, and it does represent another layer of security, which could have prevented some of the data theft.
File level encryption provided by a rights management system is also a capability that some ECM vendors provide. But let’s be honest, most customers don’t use it as it imposes a significant burden on users and impacts their productivity. That said, having to break the encryption of every file would provide as much security as one can get these days.
I should also mention the audit trail, which by itself doesn’t prevent any data theft but it does help the forensics after the fact. Tracing back the hack helps to assess the damage and more importantly, to prevent it from happening ever again. The Sony hack apparently occurred over several months. A good audit would have discovered the breach earlier and prevented some of the data loss. ECM systems are well known for their sophisticated audit trails and I bet Sony now wishes they had it.
So, to sum things up, an ECM system could not have entirely prevented a data breach like the Sony Pictures hack. No system can. But it would have provided several additional layers of security to protect the intellectual property better and the result of the hack would have compromised less data. Every security layer makes things more difficult for the bad guys and it slows them down. That’s what security is all about – both in the physical and in the digital world.
You give me full admin access I’ll hack all the content in the systems. Can’t be stopped. The issue is the front line of security. They took none of it seriously. It may have deterred hackers and sent them on to the next target.
-Pie
@piewords, Lubor basically says the same thing as you in the last paragraph. I think this does highlight that they perhaps didn’t treat their content as an asset worthy of rigorous protection. these aren’t national secrets – Its just movies, right? Well production companies have employees with rights to privacy and there is real potential for financial loss when what is never meant to be seen comes out into the public eye. If nothing else this proves that no industry is exempt from the need to better secure its data.
@ldallas I think it’s going to be worth watching the case law that comes out of this. Your comment that “employees with rights to privacy” may not hold true.
I think that corporations have stronger rights to their intellectual property than employees to their Personally Identifiable Information (PII). I’m not aware of any state laws in New York that identify a persons information as private, where Sony is based.
In the EU Sony would be receiving fines, right now, for every case of employee PII breach. There the definition of PII is very broad. While in the US, PII is tied to name, address, birth date, and social.
@luborp I keep looking to see how old was the data and emails. I think your point on retention might have been the biggest safety net. Had the emails been purged, since little of it was material, it might not have gotten out.
You also mention that to access network shares they only needed to get a network administrator password. But I wanted to point out that I’ve seen lots of cases where the network admin didn’t create individual protected shares, but simply individual network folders on a larger general share. Going up one directory, suddenly gives you access to all shares. This means the person the next cube over could be accessing your emails. It’s always good to know what you put on your network share.