This is a guest blog entry by my colleague and friend Tom Scholtz.
The compromise of several unencrypted files containing administrative passwords apparently exacerbated the impact of the Sony cybersecurity breach.
Many commentators have argued that Sony should have mandated some kind of encrypted password vault solution that the sysadmins must use. The reality however is that even if such a policy and control existed, the sysadmins would in all probability have circumvented it if they believed is slowed them down in the execution of their jobs.
People-centric security (PCS) is a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.
If a password management tool was suggested as part of a PCS strategy, rather than mandated by central dictate, maybe the sysadmins in Sony would have voluntarily adopted the solution. Especially given that they would be held personally responsible for any compromise of any unprotected passwords. And dramatically reduced the impact of the breach.
Indeed, pioneer implementers of PCS strategies tell us that they believe their security controls adoption and compliance increased markedly after PCS is implemented.
So one of the lessons of the Sony breach might be to consider the systems admin domain a potential target for implementing PCS.
– Tom Scholtz