It’s always easy when you build something starting from a clean slate. The challenge is in getting control of the present complexities, and to institute systematic changes to achieve the desired final state.
In the IT world, nothing could be farther from the truth— organizations operate in a mish-mash of legacy systems, glued-together applications and tenuously operating infrastructures. Little wonder that IT security is such a hard proposition to deliver on.
But there is hope, and a basic framework for a secure information infrastructure is emerging…..
Painting Ourselves Into A Corner
Imagine that you run the data center operations in a globally distributed organization. Not only have you inherited infrastructures that are quite antiquated by now, but you are often confined to moderate to no changes in your capacity to make security upgrades [compatibility, vendor roadmaps, compliance certifications, etc., all come to mind]. In fact, even many of the infrastructure products that we deploy even today are not secure!
The result is that we need to build perimeters of defense around these products just to gain a basic degree of assurance in data confidentiality and integrity. And these new security products for the security perimeter may themselves not be matched to be scalable, applicable across the various infrastructure components, or even be secure themselves! Yet, out of dire need, we bolt them on, ad hoc, and closely monitor and optimize them for our secure operations.
Soon enough, we discover security gaps in our layers of “lock-tight” security, and need even more security products to fill them. And why not? Haven’t we built up complex, customized security realms that are neither comprehensive nor consistent in their security? And, the few synergies and operating efficiencies between them can only assure us of increasing security operations costs…
And are we any more secure? Do we even feel any more secure? The worsening complexities in our infrastructure can only mean that we have diminishing confidence in assessing, monitoring and controlling continually emerging vulnerabilities.
Not only is our ability to sustain critical business initiatives compromised, but just how exposed are we to customer wrath and a non-compliance warrant?
On The Other Hand, Painting A Brighter Future…
What if deployed products are designed to be secure? What if security were built into the product inherently, obviating the need for add-on security products? Won’t this tighten the security perimeter around the products themselves and enable less layers of wrapped-around security? Then, for the fewer gaps that might exist, specific security products can be deployed very selectively to ensure a cleanly architected infrastructure. These security products would potentially work in varied infrastructures [servers, storage, networks] and even with heterogeneous vendor bases.
Investment and operating costs would of course be reduced, but more importantly, our assurance levels would improve dramatically, partly because the product vendors will be able to offer us better assurances, and partly because we will gain increasing control of our security environments.
That would really be Sustainable Security—one that we can build, deploy and support throughout the lifecycle of the infrastructure, and indeed, the information itself.
Next blog: Towards A Secure Information Infrastructure [The Framework]
Comments