Skip to main content

The HiSSS of Infrastructure - Part 4

We've arrived at the end of our acronym-ical journal, and what better way to finish, than with everyone's favorite topic... security. Security is the often overlooked, and even more often derided, facet of information technology that everyone loves to hate. Security means rules, and rules means that we don't get to do everything we want, the way we want to. Security is the fun-killer.

Even though most IT professionals have to deal with security in some fashion, infrastructure has a unique role to play in securing systems. In fact, security needs to be right up there with the four other big paradigms of our philosophy of infrastructure. It needs to be there for one very important reason. In infrastructure we have the ability to make a huge impact in the security of a system, often times for very little effort. By the same token, if we don't take security seriously in infrastructure, we also have the biggest opportunity for a huge impact from a negative direction. More than in any other part of IT, a little effort can go a long way to making everyone's lives easier.

This big-impact-little-effort idea is due to the fact that infrastructure is the foundation of so much of what IT does. From networking, to server administration, security at the level of infrastructure can make all the difference. For example, in the world of networking, securing an router so that it keeps the wrong people out of a network doesn't just affect the router. It affects every single server, and every single router that is downstream from it. If a bad guy is able to penetrate a single router, and gain access to an internal network, every single device that touches that router is vulnerable. By the same token, a farm of servers is only as secure as it's weakest link. If one server in a group is compromised, it often serves as a gateway to getting at more and more servers in an enterprise. So the concept of big-impact-little-effort is key to how we view security in the infrastructure. The concept cuts both ways. If we have a vulnerable device in our enterprise it often means a big impact for the bad guys, for very little effort.

However, despite getting a big impact for some of our efforts, we often don't have enough resources to secure everything 100%. So our second concept is the idea of data valuation. Since we often need to choose where to spend our resources when it comes to security, it's important to know what is the most important thing to secure. This begins with a valuation of data, which simply means, putting a price tag on every field of data in your database. There are a lot of resources out on the internet to help do this, and the will often talk about how much a single social security number will fetch on a black market. If you add up all your SSNs and other 'expensive' data, you start to get an idea of how much it would cost you to lose it. If it's valuable to a bad guy, it needs to be valuable to you. The last thing that any enterprise wants to face is a lawsuit for tons of cash because someone grabbed a bunch of SSNs and birth dates from your Oracle server that still had 'scott/tiger' sitting there from your intial install.

But as the theological would say (since I'm one of them), "money isn't everything!" This is quite true, and our third concept in security. Not only do you need to know how much your data is worth, your reputation should always be considered priceless. How important is it to you to keep your organization off the front page of a news site? If the headline reads "Corporation X leaks 400,000 usernames and passwords!!" then I'm betting you want to do something to protect yourself. Even inexpensive data like usernames and password (we all have unique strong passwords for the websites we visit right?) can be a major embarassment for an organization. So if it doesn't convince you to take security seriously because it; a) can result in big bang for little buck; and b) can cost real dollars by leaking sensitive information that has real value on a black market; then do it for c) the priceless reputation of your organization.

If you notice, I haven't spent a lot of time talking about security techniques, and that's because I'm not an expert. I'm not ignorant in the area, but there's a lot of information out there that can help in your particular situation, and I don't want to ruin MY reputation by giving you bad advice on a random blog rambling. What I hope I've done however, is to ephasize three key concepts about WHY you need to secure your systems, and not just give security the quick one-over, hoping that nothing bad will ever happen.

I hope you've enjoyed this series on my philosophy of infrastructure management, and I hope you stick around the blog for other silly liberal arts technology stuff that I might find worth rambling about.

Comments

Popular posts from this blog

The beat goes on

Yesterday Apple revealed their long awaited entry into the streaming music field. They were able to do this quickly because of the acquisition of Beats last year, and the systems and intellectual property that came with that purchase. Considering that the music reveal was pretty much the only big news out of a pretty benign developer keynote, I'll take a few moments to talk about what I think about it. Apple was perhaps the defining company in the music revolution of the past 20 years. With the introduction of the iPod that revolutionized portable music, to the creation of the iTunes store and the eventual death of DRM, Apple has been at the forefront of digital music. This leadership comes with high expectations to continue to lead, and so many people have long questioned Apple not getting into the streaming music business quicker. For the past few years new companies have come forth to lead the change in the streaming music evolution. From Pandora and its ability to create un

The NEW Microsoft

Today Microsoft held their Build conference keynote. As with Apple and Google, developer conference keynotes have become a mainstay of announcements for the general public beyond developers. At first it seemed that Microsoft would be bucking that trend today as the first portions of their keynote were very, very developer centric. However, a lot changed when they started talking about Windows 10. Microsoft is betting the future on building a platform that applications will build off of. Much like Apple and Google, they seem to be discovering that the real money isn't in the operating system itself, but in helping bring applications to consumers through validated app stores. In Microsoft's case it's also seeking to converge all of their platforms into a single unified platform. They once again reiterated today that Windows 10 will run on all of the devices that are out there, from phones to tablets to PC's to XBox game consoles. This means that applications can be writ

Welcome do double digits Mr. Windows

This past week was big for Microsoft and it's future with Windows. Windows 10 was given star status at a press reveal, showing off all of the new features that will be coming in this highly anticipated update to many of our desktops. I watched the live blog of the event, and have been reading over a lot of the reviews of the new technology that Microsoft is looking to deploy. My initial reaction is to be impressed. Much of what was wrong with Windows in the past seems to be a focal point for fixing in Windows 10. A few key things stood out to me as areas that I'm anxious to see more. First, I have to applaud Microsoft for being willing to step back from a design decision (Metro) that didn't pan out they way that they wanted it to. They took what they learned from that experience and have incorporated it into the regular desktop experience in a way that is much more seamless and useful. In fact, Microsoft is ahead of the curve in how they are presenting a user interface