We've arrived at the end of our acronym-ical journal, and what better way to finish, than with everyone's favorite topic... security. Security is the often overlooked, and even more often derided, facet of information technology that everyone loves to hate. Security means rules, and rules means that we don't get to do everything we want, the way we want to. Security is the fun-killer.
Even though most IT professionals have to deal with security in some fashion, infrastructure has a unique role to play in securing systems. In fact, security needs to be right up there with the four other big paradigms of our philosophy of infrastructure. It needs to be there for one very important reason. In infrastructure we have the ability to make a huge impact in the security of a system, often times for very little effort. By the same token, if we don't take security seriously in infrastructure, we also have the biggest opportunity for a huge impact from a negative direction. More than in any other part of IT, a little effort can go a long way to making everyone's lives easier.
This big-impact-little-effort idea is due to the fact that infrastructure is the foundation of so much of what IT does. From networking, to server administration, security at the level of infrastructure can make all the difference. For example, in the world of networking, securing an router so that it keeps the wrong people out of a network doesn't just affect the router. It affects every single server, and every single router that is downstream from it. If a bad guy is able to penetrate a single router, and gain access to an internal network, every single device that touches that router is vulnerable. By the same token, a farm of servers is only as secure as it's weakest link. If one server in a group is compromised, it often serves as a gateway to getting at more and more servers in an enterprise. So the concept of big-impact-little-effort is key to how we view security in the infrastructure. The concept cuts both ways. If we have a vulnerable device in our enterprise it often means a big impact for the bad guys, for very little effort.
However, despite getting a big impact for some of our efforts, we often don't have enough resources to secure everything 100%. So our second concept is the idea of data valuation. Since we often need to choose where to spend our resources when it comes to security, it's important to know what is the most important thing to secure. This begins with a valuation of data, which simply means, putting a price tag on every field of data in your database. There are a lot of resources out on the internet to help do this, and the will often talk about how much a single social security number will fetch on a black market. If you add up all your SSNs and other 'expensive' data, you start to get an idea of how much it would cost you to lose it. If it's valuable to a bad guy, it needs to be valuable to you. The last thing that any enterprise wants to face is a lawsuit for tons of cash because someone grabbed a bunch of SSNs and birth dates from your Oracle server that still had 'scott/tiger' sitting there from your intial install.
But as the theological would say (since I'm one of them), "money isn't everything!" This is quite true, and our third concept in security. Not only do you need to know how much your data is worth, your reputation should always be considered priceless. How important is it to you to keep your organization off the front page of a news site? If the headline reads "Corporation X leaks 400,000 usernames and passwords!!" then I'm betting you want to do something to protect yourself. Even inexpensive data like usernames and password (we all have unique strong passwords for the websites we visit right?) can be a major embarassment for an organization. So if it doesn't convince you to take security seriously because it; a) can result in big bang for little buck; and b) can cost real dollars by leaking sensitive information that has real value on a black market; then do it for c) the priceless reputation of your organization.
If you notice, I haven't spent a lot of time talking about security techniques, and that's because I'm not an expert. I'm not ignorant in the area, but there's a lot of information out there that can help in your particular situation, and I don't want to ruin MY reputation by giving you bad advice on a random blog rambling. What I hope I've done however, is to ephasize three key concepts about WHY you need to secure your systems, and not just give security the quick one-over, hoping that nothing bad will ever happen.
I hope you've enjoyed this series on my philosophy of infrastructure management, and I hope you stick around the blog for other silly liberal arts technology stuff that I might find worth rambling about.
Even though most IT professionals have to deal with security in some fashion, infrastructure has a unique role to play in securing systems. In fact, security needs to be right up there with the four other big paradigms of our philosophy of infrastructure. It needs to be there for one very important reason. In infrastructure we have the ability to make a huge impact in the security of a system, often times for very little effort. By the same token, if we don't take security seriously in infrastructure, we also have the biggest opportunity for a huge impact from a negative direction. More than in any other part of IT, a little effort can go a long way to making everyone's lives easier.
This big-impact-little-effort idea is due to the fact that infrastructure is the foundation of so much of what IT does. From networking, to server administration, security at the level of infrastructure can make all the difference. For example, in the world of networking, securing an router so that it keeps the wrong people out of a network doesn't just affect the router. It affects every single server, and every single router that is downstream from it. If a bad guy is able to penetrate a single router, and gain access to an internal network, every single device that touches that router is vulnerable. By the same token, a farm of servers is only as secure as it's weakest link. If one server in a group is compromised, it often serves as a gateway to getting at more and more servers in an enterprise. So the concept of big-impact-little-effort is key to how we view security in the infrastructure. The concept cuts both ways. If we have a vulnerable device in our enterprise it often means a big impact for the bad guys, for very little effort.
However, despite getting a big impact for some of our efforts, we often don't have enough resources to secure everything 100%. So our second concept is the idea of data valuation. Since we often need to choose where to spend our resources when it comes to security, it's important to know what is the most important thing to secure. This begins with a valuation of data, which simply means, putting a price tag on every field of data in your database. There are a lot of resources out on the internet to help do this, and the will often talk about how much a single social security number will fetch on a black market. If you add up all your SSNs and other 'expensive' data, you start to get an idea of how much it would cost you to lose it. If it's valuable to a bad guy, it needs to be valuable to you. The last thing that any enterprise wants to face is a lawsuit for tons of cash because someone grabbed a bunch of SSNs and birth dates from your Oracle server that still had 'scott/tiger' sitting there from your intial install.
But as the theological would say (since I'm one of them), "money isn't everything!" This is quite true, and our third concept in security. Not only do you need to know how much your data is worth, your reputation should always be considered priceless. How important is it to you to keep your organization off the front page of a news site? If the headline reads "Corporation X leaks 400,000 usernames and passwords!!" then I'm betting you want to do something to protect yourself. Even inexpensive data like usernames and password (we all have unique strong passwords for the websites we visit right?) can be a major embarassment for an organization. So if it doesn't convince you to take security seriously because it; a) can result in big bang for little buck; and b) can cost real dollars by leaking sensitive information that has real value on a black market; then do it for c) the priceless reputation of your organization.
If you notice, I haven't spent a lot of time talking about security techniques, and that's because I'm not an expert. I'm not ignorant in the area, but there's a lot of information out there that can help in your particular situation, and I don't want to ruin MY reputation by giving you bad advice on a random blog rambling. What I hope I've done however, is to ephasize three key concepts about WHY you need to secure your systems, and not just give security the quick one-over, hoping that nothing bad will ever happen.
I hope you've enjoyed this series on my philosophy of infrastructure management, and I hope you stick around the blog for other silly liberal arts technology stuff that I might find worth rambling about.
Comments
Post a Comment