Could next-gen identity management have protected HBO from the GoT hack?

[NOTE: This was first published on LinkedIn]

For all Jon Snow’s heroism, for all of Tyrian Lannister’s cunning, HBO could not prevent the latest in the ongoing series of high-profile data breaches (Littlefinger? Ramsey Bolton? He is, after all, a pirate.) Such breaches have plagued organizations from the federal government to retail, not to mention the most obvious antecedent in this case, when winter came to Sony, resulting in at least $35 million in losses related to investigations, IT repairs, and future prevention, as well as the recent Netflix hack. Indeed, this isn’t even a first for HBO.

And while it’s easy enough to mine the incident for jokes like it was dragonglass in the Iron Islands, for HBO executives, it’s certainly no laughing matter. According to Entertainment Weekly, 1.5 terabytes of data were affected, with episodes of popular shows leaked online, including the most latest episode of Game of Thrones, as well as at least one executive’s personal financial data and login information for HBO staff.

It will take some time to know the exact nature of the attack on HBO, however, emerging advancements in Identity Management (IDM) are providing a strong deterrent to data attacks at the user authentication level with a series of ID checks that might even impress the notoriously indifferent Many Faced God. Those same advancements in IDM offer a first step to enabling additional breakthroughs in how we access and control our data, including multi-silo, permissions-driven search, which reduces the compulsion to store files in less secure cloud environments, and delivers streamlined, tailored search results to users based on their job function.

AD landscape then and now

Part of the larger problem is how our approach to digital corporate communications has evolved. In the past, identity management took place on a user’s Active Directory system in Microsoft’s Corporate Domain Services. 90s-era users were uniformly using a single system with a single point of IDM authority through that system. At the time, the platform was relatively secure and served the purposes of enterprise users well enough.

Since then, online data repositories have exploded, a wide variety of platforms have arisen for real-time communications, and professionals have been untethered from their desks with mobile devices that take advantage of cloud infrastructure to get things done. This has created a chaotic environment in which a wide variety of devices are used to access files across multiple, isolated silos based both on-premises and on varying cloud-based platforms for data storage and communications.

This multi-silo, multi-cloud data storage and communications topology increases the time it takes to find files stored among various content silos, whether it’s Google Docs, Slack, Dropbox, an internal server, or one of the many places where corporate data is now stored. But the evolution from single-silo IDM, through Microsoft AD, to disparate, disconnected, multi-silo data platforms, each with their own individual identity management and other peculiarities, has not only made it more difficult to find files you need, when you need them, it has also exponentially increased the attack surface area, creating many additional points of entry for digital criminals.

Across this scattered landscape for corporate content, determined hackers now have multiple back doors to sensitive IP — whether that’s a Game of Thrones episode or an in-progress corporate board report — and they are anything but shy about using everything at their disposal to access files for future exploitation.

The new metadata-based to identity management

Identity management, moving forward, can no longer rely on a single Active Directory server. Each employee has a host of login credentials for each web service he or she uses. The future of identity takes into account the multi-silo world we now live in.

Next generation identity management solutions must provide employees a consolidated way to authenticate into many disparate sources. Login must be simple (who wants to have to remember hundreds of passwords), but also secure (can’t give away the kings of the kingdom).

These next generation IDMs utilize secure token exchanges that ensures the identity of the person accessing the materials is authentic. The IDM application establishes a three-way trust between itself, the company that has deployed it, and the various SaaS-based content repositories users may engage.

Think of it as a Westeros wedding: the SaaS platform has the guest list, and that guest list checks the arriving guest against the IDM’s data, which was approved by the deploying client. All must pass through this authentication process to establish the identity of the user. Every time someone leaves the wedding feast to scheme in the garden with Olenna Tyrell, they will have to repeat the process to regain entry, their temporary guest pass refreshed for each new passage through the gates.

These emerging IDM technologies support all three major authentication protocols: OAuth, SAML, and basic authentication, ensuring the widest base for accessing data stored internally or in the cloud.

Greater security opens new frontiers in data management

Cross-silo identity management opens the door for all sorts of new data management services, including unified file search, audit, and governance services.

Because of the wide-ranging nature of the access across the cloud and internally, valuable patterns emerge about user habits from internal storage across all the major SaaS-based communications and storage platforms, delivering additional, actionable insights to management and administrators.

From that point, administrators can automate data accessibility, limiting access to and even knowledge of files based on the user’s job function or other considerations, further reducing the possibility of data theft. The IDM automatically authorizes search based only on these administrative perimeters and grants permissions based on which files a user is authorized to see and access.

With the new IDM, multiple points of authentication are in place to make certain Daenerys Targaryen can never gain access to any of the various data repositories in King’s Landing where Cersei Lannister stores her file titled “Evil Plans to Kill Enemies.” Further, if Cersei’s brother Jaime worries after his sister’s mental health and goes snooping across her various accounts, she can set permissions that will not only prevent him from accessing the files, but even seeing they exist.

Conclusion

By deploying IDM solutions that recognize the complexity of user relationships and file topography in multi-cloud, hybrid environments, organizations can prevent their piece of the Seven Kingdoms from being pillaged. Leading, metadata-based IDM strategies that acknowledge the widest variety of authentication protocols, and then simplify user access across data silos through a seamless desktop interface, can exponentially increase the security of valuable IP, protecting organizations from the White Walkers of data theft that can cost companies millions and significantly hinder future plans for winning the Iron Throne.

This permits greater flexibility and automation of internal permissions processes from within the company itself, granting access to materials when appropriate, hiding them from unauthorized users. IDM also opens the drawbridge to features such as vastly improved internal search, significantly reducing the time it takes to locate files by connecting the various storage and communications platforms that exist both in the cloud and internally. Users access search seamlessly from their desktop without having to go through all the documents available to Samwell Tarly at The Citadel just to get their work done.

We will discuss additional tools and functionalities that become possible through this new approach to the corporate file ecosystem in a future blog post.