Seven Security Lessons from Rogue One: A Star Wars Story

May 4th, 2017   /     /   smarter identity

Happy Star Wars Day, everyone! This past December, we broke down how the Galactic Empire’s poor security practices led to the infiltration and destruction of the Death Star in Episode IV.

This time, we’ll be breaking down the security blunders that the Empire made in Rogue One: A Star Wars Story. Let’s see what the biggest data breach in the galaxy can teach us about security and compliance.

Be warned. Spoilers ahead!

1. Not Mitigating Insider Threats

In Rogue One, Galen Erso is the ultimate insider threat. Erso strongly opposed the construction of the Death Star. But he was coerced by Imperial weapons developer, Orson Krennic, into serving as the station’s lead architect against his will.

Erso played along but secretly stalled the Death Star’s construction from within as much as possible. He even manufactured a critical weakness within the station and sent another defector, Bodhi Rook, with a message informing the rebels about the vulnerability. Krennic’s fatal error was entrusting vital information and processes to someone who openly opposed his organization.

In real life, some of the most damaging data breaches, such as that of Soviet spy Robert Hanssen, have been caused by insiders who didn’t buy into the mission of their organizations. Learn from Krennic’s mistake: Mitigate insider threats by only hiring employees who you know are on board with your org’s goals. Use security analytics, like SIEM tools to track how they are accessing resources over time. While you need to trust, you should also verify.

2. Not Implementing Defense in Depth

The Imperial Garrison at Scarif, where the Death Star schematics are being stored, is protected by a planetary deflector shield that blocks all spaceships and radio signals. It’s the ultimate firewall.

But as formidable as this defense was, once past it, our hero Jyn Erso and her comrades are able to slip through the atmospheric shield defenses. It’s the classic “hard shell, chewy center” security pattern that exists in many on-premise data centers, which enable malicious actors free reign once past a perimeter.

The Empire would have done well to bone up on the concept of Defense in Depth: overlapping systems designed to provide security even if one of them fails. In real life, this includes a combination of multi-factor authentication (MFA), unified endpoint management, identity and access management (IAM), cloud access security brokers (CASB), security information and event managers (SIEM), and other components.

3. Falling for Social Engineering

Speaking of the Scarif deflector shield, Bodhi was able to get through the shield gate using outer space social engineering. Bodhi knew the Imperial protocol for taking a ship through a checkpoint, he had an Imperial ship, and he had an authentication code, albeit an old one. That was enough to convince the gate controllers, perhaps lulled into a false sense of security from the planetary defense shield, to let our other heroes pass through.

In real life, it’s critical to be on guard for social engineering. “People make the best exploits” for security hacks, as one of our other favorite shows has put it.

4. Not Putting a Face to Identity

After touching down on Scarif, K2SO and the disguised Jyn and Cassian are able to stroll right into the Imperial base without any Empire personnel giving them a second glance. It’s not until the rebel soldiers begin their assault on the base that anyone even thinks to question them. But by that point it was too late — Jyn and company had already reached the data vault they were looking for.

In our universe, it’s critical to put a face to identity so that you know who is in your facilities. You can do this by choosing and Identity and Access Management system whose user profile page includes user photos, and that these can be automatically imported from Human Capital Management (HCM) systems like Workday, Ultipro, and Namely, or uploaded by users or IT.

5. Not Shutting out Compromised Machines

Two of the Rogue One crew’s most valuable assets are Bodhi Rook’s stolen Imperial shuttle and the reprogrammed imperial droid, K2SO. As mentioned above, these resources make it easy for our heroes to slip behind imperial lines.

But you’d think that the Empire would have systems in place to instantly detect these compromises, and remotely shut down assets to prevent them from being exploited. Wouldn’t it have been helpful if the Empire could remotely monitor the locations and times that their shuttles were being used? Or if they could identify suspicious droid activity and shut that droid down with a single button-press?

There are many moments in Rogue One where the Empire would have been saved a lot of grief if they had implemented these types of systems…

Watching Rogue One, I couldn’t help think about Adaptive Authentication, the latest evolution in MFA in our galaxy. This product analyzes the digital fingerprint of any device attempting to sign into OneLogin; unfamiliar devices get a higher risk score, which increases the likelihood that their user will be prompted for MFA.

I also thought of OneLogin Desktop, a product that equips organizations with a kill switch for stolen laptops. Should a laptop be stolen, IT can suspend the user in OneLogin. Once that laptop connects to the Internet, no one will be able to log into the laptop account associated with that user, thus restricting access to data on the laptop.

6. Allowing Mnemonic File Names

After infiltrating the data vault toward the end of the movie, Jyn and Cassian search through the necessary data stores to find the Death Star schematics. Eventually they come to a file called “Stardust”, the nickname Galen gave his daughter Jyn before them Empire conscripted him into service. Upon seeing this name, Jyn knows that this must be the file they are looking for.

In our universe, a benefit of cloud security is that each cloud datacenter has tens of thousands of servers, each one of which cryptically named. So, even if a hacker somehow managed to get past the formidable security guarding a cloud datacenter, there’s no easy naming scheme to instantly get them to the server with the data they are looking for.

7. Single Point of Failure

After finally retrieving the Death Star schematics, Jyn and Cassian are faced with another problem: The data file they need to transmit is too large to be sent through the Empire’s atmospheric shield surrounding Scarif. The shield will have to be disabled before they can deliver the plans to the outside rebel forces.

Conveniently enough, the shield generators are positioned just outside the shield perimeter. A rebel hammerhead ship forces two star destroyers to crash into each other, which then crash into the shield generator. Once the shield was down, there was nothing preventing the Death Star schematics from being delivered into the hands of the rebellion.

In real life, security systems such as an IAM system should have redundancy to provide increased uptime, and should not allow access if they go down.

The Cost of Negligence

As mentioned in our last Star Wars post, the Empire’s failure to enact basic security precautions ultimately came with massive costs in finances, casualties, reputation and wasted time. One estimate is that it cost the Empire $852,000,000,000,000,000, roughly 13,000 times Earth’s GDP, to build the Death Star — not to mention the significant competitive advantage lost to the rebels.

In our galaxy, Forrester estimates that data breaches typically cost about 4 million to remediate, with each record lost costing anywhere between $50 and $300. Conversely, consider how the total economic impact of OneLogin can result in an ROI of nearly 500% in the first two months. I don’t know what this translates to in Imperial Credits, but you can calculate how much OneLogin can save your organization with our free Forrester ROI Calculator.

Is your data secure from rebel scum?

Want to learn more? Contact us to see the latest and greatest in enterprise data security. You may be interested in a demo for OneLogin Desktop or the latest in MFA technology, Adaptive Authentication. Had the Empire been equipped with either of these tools, all of this trouble could have been avoided.

Happy Star Wars day, everyone! And may the force be with you.

About the Author

Jack Shepherd is a Content Marketing Specialist at OneLogin, and is responsible for the production and management of original marketing content. Jack specializes in producing content around the latest trends in cyber security and cloud technology, as well as the developing areas of Identity and Access Management (IAM), software as a service (SaaS) and the internet of things (IoT).

View all posts by Jack Shepherd