Last week I had the opportunity to join the 2014 edition of the LEGO IT Summer Camp. The topic for this year was Enterprise Security. We were 15 students from around Denmark specialised in computer science/IT engineering and communication and organisation. You can see the description in the official Summer Camp poster.
Companies around the world are hyped about security breaches from 2013 (a good example being the Target POS malware incident), which should be more than enough to make anybody start thinking that security is not to be neglected. Data confidentiality is also a sensitive aspect when it comes to market launches and new product designs.
The idea of the summer camp was to split the participants into 3 teams, each covering a case problem. The problems are related to current IT trends such as cloud services, data transporting security and security monitoring. Criterias on which case solutions were evaluated on are
- how easily can they be integrated in the LEGO environment in accordance to LEGO values
- how can they enable LEGO users and collaborators to be flexible when using different services
- the level of CIA that they are providing
Each of the teams were awarded for either user friendliness, innovative aspect or technical aspect. My team won the most innovative concept award.
I have never considered security from the point-of-view of a big company. For instance, in a company where its product/service have nothing to do with IT, the IT department is seen as a facilitator for other departments e.g. providing and maintaining an infrastructure on which information is being shared in the company. This last week gave me an insight into this and there are 2 main areas that give people headaches:
- the technical aspect – integrating security in a global and 14000 (aprox. number of LEGO employees) user environment
- the change management aspect – having users understand, accept and use security principles
Even though a change might be relatively insignificant from a technical point-of-view, how are 14000 employees going to be convinced to adopt the change? How are they determined to use the proposed service and not something that they are used to? How can users be prevented to use certain services without going against certain company principles? These are all questions that made me realise that IT security will never have a full-proof working solution without educating the user and raising awareness.
I’ve visited company factories and offices before but never one as big as LEGO. When it comes to producing and product handling, everything is automated and well put in place. Regarding managing tasks in the factory, I’ve noticed that took the same approach as other danish companies, and that is to manually handle it using a whiteboard and stickers. As I’ve heard from other companies, this is a more “hands-on” experience and helps people understand better, rather than using a computerized approach.
Keynote presentations
Apart from everything related to LEGO (factory, museum, LEGOland, offices) we had some interesting presentations from security minded people. One of them is Peter Kruse, co-founder of CSIS, with a very energetic presentation on APTs, spearphishing, botnets, how easy you can buy a different identity or stolen credit cards. Something worth mentioning is the Sinkhole project which gave the people from CSIS some interesting information regarding botnets.
Another presentation was about secure development of iOS apps. We had 2 iOS developers working at Shape, Copenhagen based company, that showcased a bit of reverse engineering by hacked their own app and Flappy Birds.
Conclusion
Participating at such an event can only bring benefits. The most important ones, in my case, are the following:
- getting a chance to showcase your knowledge
- network with people in your area of interest
- get inspired, new ideas, new insights
Besides from meeting new people and enjoying what you’re doing in a high-quality environment. Looking forward for more events like this.