Game Over: Cloud Computing and the Sony Breach

Thursday, June 02, 2011

Kelly Colgan

F29746c6cb299c1755e4087e6126a816
Article by Ondrej Krehel, Identity Theft 911 

There’s been a lot of commentary and gotcha-style journalism surrounding the Sony data breach, but not much constructive criticism.

Yes, the breach could have easily been prevented. Had Sony enabled fairly standard firewall technology and kept its systems up-to-date with the latest patches, none of this most likely would have happened.

imageSince most of us have enabled firewalls on our personal computers and are aware of the risks if we don’t, Sony’s mistake immediately smacks of foolishness.

But setting up protection for a network of 100 million users is a little different than protecting the Mac in your living room. Sony’s breach is a valuable lesson for many organizations considering a transition to the cloud.

Already the media is reporting that businesses are rethinking it. And that’s a good thing.

Any transition from one kind of data system to another needs serious thought. That’s the Sony lesson: Migrating data from a traditional system to a new technology must be done very carefully. Shifting from classical to cloud isn’t as easy as the snappy alliteration makes it seem.

Whatever move your data is making, you must ensure all relevant security measures are enabled. If the servers are connected to the Internet, yes Sir Howard Stringer, you need a firewall.

But even if it isn’t, you need to ask questions such as, What information is guarded? How is it guarded? What is the scalability, and how can it be exploited? How do we know that someone is after our data?

The second lesson we can learn here is the rule of maximum leverage. Leverage all security elements to maximum potential. Businesses of all sizes have a patch management policy, most likely executed by an inside professional security team.

It would have been to Sony’s benefit to have such a functioning policy in place, and, with 100 million users, to make sure it’s as rigorous as possible, with tight control on its execution.

We often use words like “robust,” “comprehensive,” and “strong” to describe security programs. Nice as that may sound, security isn’t only about the strength of a system, but about the mindset of the people working it. Have they asked all the questions? Have they covered all their bases?

Whenever data is transitioned someone needs to know enough to ask the right questions. The human element is the most important security element. It is human creativity that pushes technology to its maximum functionality.

Security needs a vision and strong ruler fully supported by executive management. After all, someone has to flip that firewall switch.

image Ondrej Krehel, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Possibly Related Articles:
7843
Cloud Security
Service Provider
Cloud Security Management Data Loss Prevention Security Sony breach
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.