A quick disclaimer: THIS BLOG HAS A STRICT NO-SPOILERS POLICY. As someone who finally watched “Star Wars: The Force Awakens” a couple of months ago, I understand the struggle to keep up with pop-culture with everything else going on in our busy lives.
Last week Peters & Associates and our security partners hosted a private screening of “Rouge One: A Star Wars Story.” If you weren’t able to attend, you missed out on a great security conversation, a fantastic movie, and some eye roll-inducing Star Wars jokes. Fortunately for you, I’ve compiled 2 of those elements into our recap blog. So grab some popcorn, set your smart phone to stun, and read on to catch up on the conversation.
First, some background…
The premise for the latest movie in the Star Wars franchise is the story of the Rebel Alliance’s pursuit of the Empire’s top-secret plans for the Death Star. If compromised, the rebels could use the plans to find weaknesses in the Death Star and destroy the Empire’s expensive superweapon.
At Peters & Associates, we’re helping our customers to fight this type of digital theft every day with our security solutions and services – although, none of our clients are building a superweapon capable of demolishing other planets. Given our background, we enjoyed this film from a unique perspective – what lessons can we learn to help protect our clients’ sensitive information like customer data and intellectual property? The lessons that we took from the movie experience reinforced our approach to security solutions and protecting data.
Sticking to our NO-SPOILER stance, I won’t go into specifics about the movie. However if you have seen the film and want to get nerdy with us, email email@example.com and we can chat.
Over the past couple of months, you may have heard us reference our security strategy, which is illustrated in the graphic above (we “Death Star’d” it for the purposes of this event). Essentially, we advocate for a multi-level approach to protecting your sensitive data. If you’re not securing any one of these levels, you’re leaving a significant hole in your security structure. And, as we know from the original 1977 Star Wars film, even a hole the size of an exhaust vent can compromise the entire structure.
Each of these security layers is worthy of a blog or two and a deep dive by itself. For the purposes of this blog, I’ll highlight the layers, the role they play, and some of the technology to think about.
Peeling back the layers…
I’ll work from the inside out. At the center of our “Death Star” we have the Data layer. This represents your most sensitive data that, if compromised, could cripple your organization. The Data layer can be thought of as your “reactor core”. From there, we can build out the different layers of protection that we must account for:
- Platform: The Platform is all about the machine (virtual, physical, and cloud) that your data is sitting on. How is the host protected? What protection measures can you leverage in the operating system to secure your data?
- Infrastructure: Your Infrastructure layer is defined by the security of your network and the connections that extend to your network. How is your Firewall evaluating traffic? What do your alert logs reveal about the traffic and people traversing your network? Do you have the expertise and time to triage and interpret those logs?
- Devices: Securing the Device layer generally focuses on two components: 1) what operating system-level features can be configured to secure the device? and 2) how can the lifecycle of a device be managed? Are you using the full suite of security features in your operating system? Are you protecting devices with a Mobile Device Management system? How are you applying policies to your machines?
- Identity: You’ll notice in our graphic that Identity is not displayed as a sequential layer. The reason for this is that Identity traverses all layers. When a user logs in, their credentials are giving them a level of access across all other layers. The transcendent nature of Identity makes it especially important to secure. How are you protecting saved credentials? How are you educating users on attempts that are designed to steal their credentials? Does your security toolset have the capability to determine if a user is valid or a bad actor?
- Advisory: Lastly, the Advisory layer takes a step back from the technology and focuses on the process. Do you have a plan in-place in the event that Ransomware locks you out of your crucial database? What kinds of data needs to be protected? What should you prioritize in the long list of security needs?
Together, these bullet points constitute our approach to security. Last Friday, we watched as various elements of these layers were attacked and the impact of failure at any given layer.
Of course, the Star Wars story is entirely fictional, but the themes explored in this film represent serious concerns for organizations operating in an Internet-connected world. You might say that this as an instance of art imitating life.
As we mentioned earlier, each of these layers deserves to be explored in far more detail. That exploration will likely come as future blog posts, webinars, and events. However, if security is top of mind for you (you should be nodding your head) the fastest way to put yourself on the path to a more secure environment is to email firstname.lastname@example.org and start the conversation.
May the Force be with you.