So it appears from today’s announcement that the Sony Playstation Network was hacked after all. Some 70 million users are unable to game online and other services, such as LoveFilm are down. Whilst it has had a positive effect on our household (Call of Duty remains unplayed as Son#1 deems it uninteresting unless playing against his friends) unfortunately it continues to be an embarrassment and PR disaster for Sony.
As we continue to expose more computing to the Internet (especially with the move to more cloud-based applications), then surely we can expect more incidents of this nature. Do we really take security seriously enough or is it simply that we don’t understand the nature of how deep we need to ensure security is implemented? I was in discussion with a company last week that indicated many organisations feel it is necessary only to protect the perimeter against attacks. This seems remarkably weak as an approach; as soon as the perimeter is breached, then everything is open and available. Perhaps we need to elevate the importance of security within IT, because unless we get things right, data exposures and service outages will continue to be a problem.
One other thought comes to mind while thinking about Sony’s dilemma. The reports (including this from BBC) indicate that Sony are looking to strengthen their network security. This has necessitated them taking down the whole infrastructure to achieve this. However one of the original design principles of the Internet that any one section could be damaged and traffic would automatically reroute. Why are we not designing Internet based applications in this way? After all, with 70 million users, Sony must be spreading the workload across many physical servers and network infrastructure. Perhaps we need to be designing with the Internet methodology in mind – breach one component and you don’t get global access; that component can then be taken down until the breach is resolved.
The recent Amazon AWS outage has shown us that traditional application architectures won’t work well in the cloud. I expect we’ll see a much greater focus on security and application design as organisations struggle to manage embracing Internet-based computing whilst keeping the hackers at bay.