I came to work this morning to read a Bloomberg article, “Goldman May Lose Millions From Ex-Worker’s Code Theft,” about a recent data breach. The details are still coming in, but allegedly a former computer programmer from Goldman Sachs, Sergey Aleynikov, downloaded and stole a copy of proprietary trading software. To me, this is an interesting data breach story. It raises an issue of intellectual property protection that is very hard to address – how to protect your IP when it is proprietary source code.
The application code in question was unquestionably a significant asset at Goldman Sachs (analogous to Coke’s secret formula or KFC’s secret recipe). But protecting that asset is not as simple as locking the formula in a vault. Protecting source code is very difficult. Most systems of source code control wouldn’t have helped here at all. It’s really not common practice to provide “isolation” in these tools. The average programmer has access to all of an application’s source in order to build and test just their part of the code. Privileged users like programmers tend to have wide-ranging access to technology assets, so they represent higher risk employees that must tracked and managed more diligently.
That said, proactively approaching risk management can help organizations prevent this type of offense from taking place. Part of the process of identity governance involves truly understanding “who has access to what” and clearly identifying where that access introduces measurable risk. In this case, had Goldman Sachs understood the relationship between Aleynikov’s access risk posture and his current “status,” they may have been able prevent such an incident from occurring. The good news is they caught him, so something worked – but we won’t know for awhile how much damage he was able to do.