Security of a corporate web infrastructure

When our competitors get hacked, we take notice. For some reason, the Playstation Network breach made people less worried than the Adidas event yesterday. So I wrote a quick response which I’d like to share here.

Preliminary reports about Adidas suggest their sites may have been serving malicious content following a security breach that gave attackers access to the sites’ HTML but not to the databases (no user information has been exposed).

Their response has been praised by security experts as prompt and appropriate. They’ve basically done the right thing.

The scope of the take-down suggests their systems share technical elements quite broadly, which highlights the risks inherent to global infrastructures: problems become instantly more serious.

But the flip side is obviously that problems get noticed faster, and resolved with more certainty.

As far as we are concerned, the security of our web systems for Onitsuka Tiger (Europe and Australia), ASICS (Europe) and My ASICS (global) is currently managed entirely by our supplier The Plant, reliant on much of the software and physical security offered by our hosting provider Amazon Web Services.

Basically, we have application-level security (what the web site allows users to do), which is reliant on The Plant doing a good job of writing software, and on their choice of underlying technologies. Of particular importance here: the use of off-the-shelf software (CMS, but also third-party features such as the Facebook “Like” button, Bazaarvoice comments, Google maps for the store locator, etc.) always creates security trade-offs, where the team responsible for security will not be aware of all details of the software they use resulting in blind spots.

Then there is system security, which is dependent on good security practices (few people have access to the machines, only through relatively secure means, and the architecture of the systems has been designed with security in mind), again the choice of underlying technologies (Adidas runs its affected services on a Windows platform, which has a reputation to be harder to secure than Unix systems which we use), and physical security of the machines (the Cloud is extremely secure from that perspective).

Finally, we have active monitoring in place, to check on a regular basis that everything is going OK. At this point, our monitoring is focused on the availability of the services, and not so much on security. This could be something we can improve, at a cost.

In the Adidas case, I suspect application-level problems: some legitimate feature of the site was probably leveraged to gain illegitimate access to the content.

Completely preventing security problems isn’t possible (web sites are too complex now), but you can mitigate risks by a combination of:
#1: good basic policies and technology choices
#2: clear technical responsibility to avoid dilution and blind spots
#3: a good attitude when problems do occur.

Sony was a really poor example: their Playstation network was hacked into, resulting in compromised user data (the worst possible scenario, even resulting into regulatory breach, on top of the image and other business issues). They compounded a heavy technical failure (#1) with a confused response (#2), then denial and poor communication (#3). Adidas has avoided #2 and #3, and their fault on #1 seems to have been much lighter.

This entry was posted in Commentary. Bookmark the permalink.

Comments are closed.