It is 2020 now, and while the new year has a lot in store with regard to privacy, I want to take a look back. In fact, I want to look way back, long, long ago. In a galaxy far, far away. That’s right, I found a reason to write about Star Wars and privacy.
While I don’t celebrate Christmas, I still hold the tradition with my family of ordering some food in and watching a movie. I picked the seminal classic, Stars Wars: A New Hope as both my son and wife had never seen it; I had not taken the time to watch it since entering the privacy world. After watching it, I have come to the conclusion that the Galactic Empire, an organization capable of building a planet destroying space station, needs some serious privacy help. Spoilers ahead for a 43-year-old movie as well as a hefty helping of nerd talk.
First off, the entire plot of the movie revolves around Darth Vader and his forces retrieving stolen plans for their space station, the Death Star. The whole point being that these plans are the only remaining copy as the imperial archives that held them previously were destroyed because of the happenings in a newer film, Rogue One. This brings up the first issue, why isn’t there a backup of the archives -let alone the plans- anywhere?
Any privacy program will cover how information is retained, where backups are kept, and what redundancies are in place for the information they hold. Why isn’t that the case here? If there was a backup of the information elsewhere, let’s say in the capital of the government that has a single planet covering city, none of this would have ever been an issue. Which brings up another question that I won’t get into, but what is the retention policy on the plans for a space station with a giant super laser?
Access for Everyone
Later in the film, our intrepid heroes arrive on said space station, now looking for a captured Princess Leia. They discover that she is being held there from R2-D2, a standard, R2 model, astromech droid, who is able to access the entire galactic network through a single port on a console overlooking the docking bay. I want to really emphasize this. The entire network of a galaxy spanning empire is accessible from a single system on a space station by a standard issue droid that is somewhere between 20-30 years old.
Access controls are really important, as is segregating information in your systems. An organization cannot keep all their data in one place, as this increases the risk in the event of a breach or similar incident. This also raises a lot of issues regarding employee information. If all your data is on one network or one server, someone who gains access now has access to everything. This is similar to the Ashley Madison breach, where the hackers said all of the servers were connected and easily navigated between. If you can find information on where prisoners are being held, who is to say you couldn’t find all the HR records for the various personnel around the same station.
As many, even those who have never watched Star Wars, already know, the ultimate downfall of the Death Star is a small, 2-meter-wide exhaust port. Firing a single proton torpedo down the shaft will cause a chain reaction, destroying the entire space station. This vulnerability is somehow unknown to the empire and overlooked entirely, but revealed by the plans of the Rebellion. So again, a massive, technologically advanced, galaxy spanning empire misses the small details. How could they have known about such a problem? Well, checking is a good start.
Vulnerability testing is a very common exercise for security and privacy personnel. Essentially, you are looking for any vulnerability in your systems, generally assisted by a third party or other subject matter experts. It is important to do this annually or at least have a schedule for when this will be done. This allows you to find any issues and deal with them proactively, as well as find potential breaches that had gone otherwise, unnoticed. Surely, a group of engineers would have seen the threat a small, unprotected exhaust port would pose to a space station.
I highly suggest that the Imperial Senate put out an RFP for privacy related services, especially seeing as they are in dire need of an assessment of their existing program.