Thursday, December 22, 2016

Rogue One: A Star Wars Story or A Backup Story?

Recently saw the Rogue One installment of the latest installment of the Star Wars series of films.

I feel obligated to warn you that this is a spoiler alert.

However, if you seen Episode IV: A New Hope, then you really know the outcome already. But read at you're own peril.

As we know from Episode IV, the Death Star plans were obtained "at a high cost". And Rogue One is all about how the rebels get these plans. The protagonist, Jyn Erso, struggles to locate her father who is actually a fifth column within the Empire - purposely building a weakness into the Death Star. However, for his plan to succeed the rebels need to get their hands on - you guessed it - an offsite tape backup!

I kid you not!

Think about it: even in "a long time ago in a galaxy far, far away", those tape backups are the main way the Empire keeps a backup of their data.

The dramatic scene when they are trying to get the backup tape requires the heroes to use mechanical arms to pull out the backup out of the tape library. Of course, the arms breakdown as the Storm Troopers are able to overrun the building requiring the heroes to get the data themselves.

Yes, they can travel at lightspeed but still have not managed to move away from tape backups on to the cloud or something else.  Yikes.

To be fair the Star Wars movie makers had a tough balancing act: how do they remain true to the original but at the same time account for the fact that the original movie was made 2 decades before the Internet and 3 decades before the iPhone? 

In a way, the epic Battle of Scarif, is in reality of how the rebels (the hacktivists if you will) do their best to defeat the myriad information security controls that the Empire has in place to keep their backups secure. 
  • Physical security: Definitely, the Empire has good physical security, a whole Armada of ships to protect the Scarif - and light sabre wielding Darth Vader to boot! This includes the impenetrable shield that is used to prevent unauthorized vehicles/starships from entering the facility. Kind of like a futurized version of a bollard
  • Logical security: Really Empire? Only passwords? Of course to enter the facility, required the Rogue One to give a valid "access code" to enter the facility. Perhaps, if they had two-factor authentication or changed the access codes more frequently their facilities would have remained secure.  
  • Obscurity: Not sure if the Empire had encryption, but they ensured that to find the tapes you needed knowledge of how the backups were labeled and stored. To this point, perhaps the Empire could have used better training to ensure Erso's dad was instructed not to use names of family. 
  • Offsite backups: Talk about offsite backups! Not only was the tape not located on the Death Star or the facility where Erso's dad was engineering the Death Star, it was located light years away! 
  • Authorized communications: Part of the challenge the rebels had was that the file was too large and needed a special channel to communicate the plans to the rebel.
Probably not the full list of controls, but who would have thought a background in IT Audit would give you insights into a Star Wars Story :)

No comments: