This is a guest blog entry by my colleague and friend Tom Scholtz.
The compromise of several unencrypted files containing administrative passwords apparently exacerbated the impact of the Sony cybersecurity breach.
Many commentators have argued that Sony should have mandated some kind of encrypted password vault solution that the sysadmins must use. The reality however is that even if such a policy and control existed, the sysadmins would in all probability have circumvented it if they believed is slowed them down in the execution of their jobs.
People-centric security (PCS) is a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.
If a password management tool was suggested as part of a PCS strategy, rather than mandated by central dictate, maybe the sysadmins in Sony would have voluntarily adopted the solution. Especially given that they would be held personally responsible for any compromise of any unprotected passwords. And dramatically reduced the impact of the breach.
Indeed, pioneer implementers of PCS strategies tell us that they believe their security controls adoption and compliance increased markedly after PCS is implemented.
So one of the lessons of the Sony breach might be to consider the systems admin domain a potential target for implementing PCS.
– Tom Scholtz
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
PCS is a excellent approach for information security, but in additional control for PCS it is implementation of phishing protection solution with focus at the people because the vast majority of fraud begin by email.