Skip to main content

The HiSSS of Infrastructure - Part 4

We've arrived at the end of our acronym-ical journal, and what better way to finish, than with everyone's favorite topic... security. Security is the often overlooked, and even more often derided, facet of information technology that everyone loves to hate. Security means rules, and rules means that we don't get to do everything we want, the way we want to. Security is the fun-killer.

Even though most IT professionals have to deal with security in some fashion, infrastructure has a unique role to play in securing systems. In fact, security needs to be right up there with the four other big paradigms of our philosophy of infrastructure. It needs to be there for one very important reason. In infrastructure we have the ability to make a huge impact in the security of a system, often times for very little effort. By the same token, if we don't take security seriously in infrastructure, we also have the biggest opportunity for a huge impact from a negative direction. More than in any other part of IT, a little effort can go a long way to making everyone's lives easier.

This big-impact-little-effort idea is due to the fact that infrastructure is the foundation of so much of what IT does. From networking, to server administration, security at the level of infrastructure can make all the difference. For example, in the world of networking, securing an router so that it keeps the wrong people out of a network doesn't just affect the router. It affects every single server, and every single router that is downstream from it. If a bad guy is able to penetrate a single router, and gain access to an internal network, every single device that touches that router is vulnerable. By the same token, a farm of servers is only as secure as it's weakest link. If one server in a group is compromised, it often serves as a gateway to getting at more and more servers in an enterprise. So the concept of big-impact-little-effort is key to how we view security in the infrastructure. The concept cuts both ways. If we have a vulnerable device in our enterprise it often means a big impact for the bad guys, for very little effort.

However, despite getting a big impact for some of our efforts, we often don't have enough resources to secure everything 100%. So our second concept is the idea of data valuation. Since we often need to choose where to spend our resources when it comes to security, it's important to know what is the most important thing to secure. This begins with a valuation of data, which simply means, putting a price tag on every field of data in your database. There are a lot of resources out on the internet to help do this, and the will often talk about how much a single social security number will fetch on a black market. If you add up all your SSNs and other 'expensive' data, you start to get an idea of how much it would cost you to lose it. If it's valuable to a bad guy, it needs to be valuable to you. The last thing that any enterprise wants to face is a lawsuit for tons of cash because someone grabbed a bunch of SSNs and birth dates from your Oracle server that still had 'scott/tiger' sitting there from your intial install.

But as the theological would say (since I'm one of them), "money isn't everything!" This is quite true, and our third concept in security. Not only do you need to know how much your data is worth, your reputation should always be considered priceless. How important is it to you to keep your organization off the front page of a news site? If the headline reads "Corporation X leaks 400,000 usernames and passwords!!" then I'm betting you want to do something to protect yourself. Even inexpensive data like usernames and password (we all have unique strong passwords for the websites we visit right?) can be a major embarassment for an organization. So if it doesn't convince you to take security seriously because it; a) can result in big bang for little buck; and b) can cost real dollars by leaking sensitive information that has real value on a black market; then do it for c) the priceless reputation of your organization.

If you notice, I haven't spent a lot of time talking about security techniques, and that's because I'm not an expert. I'm not ignorant in the area, but there's a lot of information out there that can help in your particular situation, and I don't want to ruin MY reputation by giving you bad advice on a random blog rambling. What I hope I've done however, is to ephasize three key concepts about WHY you need to secure your systems, and not just give security the quick one-over, hoping that nothing bad will ever happen.

I hope you've enjoyed this series on my philosophy of infrastructure management, and I hope you stick around the blog for other silly liberal arts technology stuff that I might find worth rambling about.

Popular posts from this blog

Push it... push it real good...

The other day I got a chance to play with the new Apple force touch trackpad. This is a new design that Apple has put on their laptops for non-mechanized clicking on trackpad. When you press on the trackpad it senses the force that you're pressing with, and when you reach a certain level, you feel a 'click'. If you keep pressing, you feel a second 'click'. The unique thing is that these 'clicks' aren't physical in nature. The trackpad never moves at all, but the click that you feel is from haptic feedback. In essence, when you press with enough force, the trackpad clicks back at you. You feel the sensation of clicking, but it's simply the trackpad responding to your pressure.

I got to play with this for a while, since the Apple Store rep was talking with us about soccer, and after a short bit I was getting the hang of it. I feel that it would take quite a bit longer though to really feel comfortable with this new paradigm. I'm someone who has a …

Hack! Slash! Burn! Crush!!

The big tech news story of the weekend was the hacked account of Mat Honan. As documented in his posting on Wired.com, in the space of a few hours his digital life was in shambles. And as much as we always talk about strong passwords, etc., this was not a case of password failure. It was a case that shows just how our desire for on-demand, cloud based services that are convenient can come back to haunt us.

I highly suggest you go read all 4 pages of the article, but the quick summary is that a hacker wanted control of Mr. Honan's Twitter account. In order to get it, they started with basic social scouting, and proceeded to use all of the built-in tools of Google, Amazon and Apple to gain access to his accounts without ever needing to crack a single password. At Google they discovered what his Apple ID e-mail address was when they did a simple "Forgot my password" query. Then at Amazon, they called up customer service and game'd the system to get access to the last 4 …

The beat goes on

Yesterday Apple revealed their long awaited entry into the streaming music field. They were able to do this quickly because of the acquisition of Beats last year, and the systems and intellectual property that came with that purchase. Considering that the music reveal was pretty much the only big news out of a pretty benign developer keynote, I'll take a few moments to talk about what I think about it.

Apple was perhaps the defining company in the music revolution of the past 20 years. With the introduction of the iPod that revolutionized portable music, to the creation of the iTunes store and the eventual death of DRM, Apple has been at the forefront of digital music. This leadership comes with high expectations to continue to lead, and so many people have long questioned Apple not getting into the streaming music business quicker.

For the past few years new companies have come forth to lead the change in the streaming music evolution. From Pandora and its ability to create uniqu…