Friday, February 6, 2015

Could ECM Have Prevented the Sony Hack?

This blog post has been originally posted on the Big Men on Content blog:
There were hundreds of data breaches last year but Sony Pictures won the prize for the most publicity received by a hack. Mostly that publicity came about because Dennis Rodman’s friends got to watch The Interview before any of us. Like the President of the United States said, we can’t tolerate that. We must prevent such cyber-attacks.
But how?
According to the media coverage, most of the stolen data was in the form of structured data such as employee salaries and social security numbers but also emails, documents, movie scripts, and video files – even entire full-feature movies. Over 100 terabytes of data have been allegedly stolen and a lot of it was unstructured data, content. From the little information we have about the hack, no ECM system was in place and the content was stolen from servers and employees computers running Windows. ECM has always been claiming to have the ability to ‘secure’ content, right?
So, would ECM have prevented the Sony hack?
Let’s assume that it really was a hack – a malicious data breach by external actors rather than an internal security leak. An Edward Snowden scenario would have been a whole different ball of wax. But if the bad guys came from the outside, could ECM have prevented the Sony hack?
ECM could have certainly helped by securely archiving the content files and email messages, keeping them off the user drives, and expunging them as their retention period expired. Culling the email volume would have reduced the number of sensitive and sometimes embarrassing emails that were hacked and exposed. It wouldn’t solve the problem entirely but it would have helped. Getting rid of unneeded and potentially compromising data is one of the best practices of information governance solutions based on ECM. Well organized ECM repository and processes would have kept at least some of the sensitive content off employees’ hard drives.
Next, let’s consider permissions. Many of the stolen files were allegedly swept off file servers, which likely had little or no permission control. An admin level access gives a hacker the master key to the vault. Permissions provided by an ECM system would make things much more difficult for the hackers. Sophisticated permissions often allow administrators or even curators to do their job without having the rights to access the content itself – no master key. That would have helped a lot.
How about security features? I’ll skip over the authentication, SSL, VPNs, and other perimeter security that is not specific to ECM – most ECM systems do this but so do other applications. I’m skipping over virus checker and malware detection for the same reason – those were clearly not in place or ineffective in the hack but they are outside the scope of ECM. By the way, a two-factor authentication and a good firewall would have helped too – chances are they had some of it and it was hacked.
The ECM specific security would include repository level encryption and possibly also file level encryption. The repository level encryption is big – many customers use it, it doesn’t burden the users, and it does represent another layer of security, which could have prevented some of the data theft.
File level encryption provided by a rights management system is also a capability that some ECM vendors provide. But let’s be honest, most customers don’t use it as it imposes a significant burden on users and impacts their productivity. That said, having to break the encryption of every file would provide as much security as one can get these days.
I should also mention the audit trail, which by itself doesn’t prevent any data theft but it does help the forensics after the fact. Tracing back the hack helps to assess the damage and more importantly, to prevent it from happening ever again. The Sony hack apparently occurred over several months. A good audit would have discovered the breach earlier and prevented some of the data loss. ECM systems are well known for their sophisticated audit trails and I bet Sony now wishes they had it.
So, to sum things up, an ECM system could not have entirely prevented a data breach like the Sony Pictures hack. No system can. But it would have provided several additional layers of security to protect the intellectual property better and the result of the hack would have compromised less data. Every security layer makes things more difficult for the bad guys and it slows them down. That’s what security is all about – both in the physical and in the digital world.