Last year, I wrote about Six Management Lessons That IT Leaders Can Learn From Darth Vader and with the looming release of Star Wars: Rogue One, it is time to revisit the Star Wars universe. Rogue One focuses on the theft of the Death Star plans, and in this blog post, I wanted to explore five things that we can learn from the Empire’s lax security practices.
Encryption Matters
In the opening sequence of Star Wars, we see Princess Leia inserting the Death Star plans into R2-D2. The droid seemingly had no issues reading the data and later projecting 3D holograms of the information. Unless R2 has some super-secret and highly advanced decryption capability, it would appear that the Death Star plans were not encrypted. Hmmm, really? These plans are for the most sophisticated battle station in the universe and the Empire forgets encryption?
Strong encryption limits access to critical data to those who have the encryption key. This technology adds a layer of security because Rebel scum can only read the data if they have both the source files and the encryption key. Thus the hacker needs to capture two pieces of data to gain access to private information. A natural offshoot of this process is that key management is critical and that the most effective security strategies include both strong encryption and highly secure key management. In a stunning turn of events, the Empire overlooked both of these strategies.
At Dell, we offer a variety of encryption options including solutions for data at rest and in flight.
Physical Security is Critical
Physical security is another vital consideration for protecting secret information like the Death Star plans. Some of the components that the Empire must have considered included access controls, guards and gates. These safeguards should be a baseline for all security initiatives because if someone can gain physical access to your infrastructure then your security challenges are significantly multiplied.
The Empire traditionally relied on Stormtroopers for physical security. These personnel were not known for their intellectual prowess which was problematic since training is a critical part of security protocols. It would seem that traditional Strormtroopers might lack the brainpower to truly absorb and implement the appropriate security policies resulting in significant risk. A better strategy would have been to rely upon more highly trained operatives such as the Emperor’s Imperial Royal Guards.
Two-Factor Authentication Everywhere
At Dell, we take security seriously and our employees are equipped with RSA’s two-factor authentication technology to prevent unauthorized data access. Two-factor authentication secures data by requiring that users have something that they know (password) and something that have (a security code generated by an app or a hardware token) when authenticating. Naturally, the token generates random codes at frequent intervals and so are difficult to hack.
In a classic process failure, the Empire had no security on its data ports in the Death Star. It was eye opening when R2-D2 was able to view and control critical battle station systems by simply connecting to any available port. In fact, it is not even clear if a password was required! This is a security lapse of epic proportions, and we all know what happened as a result….
As an IT practitioner, we must have layered security measures in place. As previously discussed, encryption and physical security are key ingredients and two-factor authentication is another technology that should be considered.
Keep it Offline
A common attack vector for modern day hackers or rebel scum in Star Wars parlance is the network. Making data accessible via a network adds convenience, but creates significant security challenges. You do not have to look any further than current news headlines to see stories of hackers penetrating corporate networks with malicious intent. Clearly hardening network access is critical and technologies like encryption and two-factor authentication can help. However, the greatest security can be derived by disabling network access to selected data sets. In the case of the Empire, the plans were so secret that storing them offline would have been an ideal strategy.
As an IT practitioner, having a “gold” copy of corporate data in a near offline state can help protect against unexpected hacks. Dell’s Isolated Recovery Solution is a great option for those looking for higher levels of protection.
Understand the Threats
Part of a holistic security strategy is to understand the potential threats and ensure that you have systems in place to protect against them. For example, the Empire clearly knew that the Rebels were dissatisfied with Vader’s less than magnanimous leadership style and so it would be reasonable to assume that the Rebels would be looking to cause trouble. This mere fact should have driven the Empire to assess its security strategies and implement safeguards to protect against threats from the Rebels. Unfortunately Vader and his minions, dismissed the rebels as little than a fringe element in society…clearly, a huge mistake.
In the world of IT in 2016, we need to be conscious of our threats as well. Many of the technologies described in this post can help better harden our data centers, but threats frequently morph and can attack from unexpected angles. Services like Dell SecureWorks can provide a comprehensive framework to assess and respond to attacks.
In summary, the theft of the Death Star plans is a case study of what not to do with data security. The Empire had clearly become complacent resulting in a string of poor information security choices. As a result, a team of relatively inexperienced hackers were able to steal the most highly guarded plans in the galaxy. Now, I am sure that you are not protecting the plans for a planet destroying space station, but you still may have large amounts of highly sensitive data. Remember, layered security is critical and you should be constantly assessing your infrastructure to find gaps and opportunities for improvement. As the Empire learned the hard way, ignoring security can eventually lead to disaster.