Skip to main content

The HiSSS of Infrastructure - Part 4

We've arrived at the end of our acronym-ical journal, and what better way to finish, than with everyone's favorite topic... security. Security is the often overlooked, and even more often derided, facet of information technology that everyone loves to hate. Security means rules, and rules means that we don't get to do everything we want, the way we want to. Security is the fun-killer.

Even though most IT professionals have to deal with security in some fashion, infrastructure has a unique role to play in securing systems. In fact, security needs to be right up there with the four other big paradigms of our philosophy of infrastructure. It needs to be there for one very important reason. In infrastructure we have the ability to make a huge impact in the security of a system, often times for very little effort. By the same token, if we don't take security seriously in infrastructure, we also have the biggest opportunity for a huge impact from a negative direction. More than in any other part of IT, a little effort can go a long way to making everyone's lives easier.

This big-impact-little-effort idea is due to the fact that infrastructure is the foundation of so much of what IT does. From networking, to server administration, security at the level of infrastructure can make all the difference. For example, in the world of networking, securing an router so that it keeps the wrong people out of a network doesn't just affect the router. It affects every single server, and every single router that is downstream from it. If a bad guy is able to penetrate a single router, and gain access to an internal network, every single device that touches that router is vulnerable. By the same token, a farm of servers is only as secure as it's weakest link. If one server in a group is compromised, it often serves as a gateway to getting at more and more servers in an enterprise. So the concept of big-impact-little-effort is key to how we view security in the infrastructure. The concept cuts both ways. If we have a vulnerable device in our enterprise it often means a big impact for the bad guys, for very little effort.

However, despite getting a big impact for some of our efforts, we often don't have enough resources to secure everything 100%. So our second concept is the idea of data valuation. Since we often need to choose where to spend our resources when it comes to security, it's important to know what is the most important thing to secure. This begins with a valuation of data, which simply means, putting a price tag on every field of data in your database. There are a lot of resources out on the internet to help do this, and the will often talk about how much a single social security number will fetch on a black market. If you add up all your SSNs and other 'expensive' data, you start to get an idea of how much it would cost you to lose it. If it's valuable to a bad guy, it needs to be valuable to you. The last thing that any enterprise wants to face is a lawsuit for tons of cash because someone grabbed a bunch of SSNs and birth dates from your Oracle server that still had 'scott/tiger' sitting there from your intial install.

But as the theological would say (since I'm one of them), "money isn't everything!" This is quite true, and our third concept in security. Not only do you need to know how much your data is worth, your reputation should always be considered priceless. How important is it to you to keep your organization off the front page of a news site? If the headline reads "Corporation X leaks 400,000 usernames and passwords!!" then I'm betting you want to do something to protect yourself. Even inexpensive data like usernames and password (we all have unique strong passwords for the websites we visit right?) can be a major embarassment for an organization. So if it doesn't convince you to take security seriously because it; a) can result in big bang for little buck; and b) can cost real dollars by leaking sensitive information that has real value on a black market; then do it for c) the priceless reputation of your organization.

If you notice, I haven't spent a lot of time talking about security techniques, and that's because I'm not an expert. I'm not ignorant in the area, but there's a lot of information out there that can help in your particular situation, and I don't want to ruin MY reputation by giving you bad advice on a random blog rambling. What I hope I've done however, is to ephasize three key concepts about WHY you need to secure your systems, and not just give security the quick one-over, hoping that nothing bad will ever happen.

I hope you've enjoyed this series on my philosophy of infrastructure management, and I hope you stick around the blog for other silly liberal arts technology stuff that I might find worth rambling about.

Comments

Popular posts from this blog

The beat goes on

Yesterday Apple revealed their long awaited entry into the streaming music field. They were able to do this quickly because of the acquisition of Beats last year, and the systems and intellectual property that came with that purchase. Considering that the music reveal was pretty much the only big news out of a pretty benign developer keynote, I'll take a few moments to talk about what I think about it. Apple was perhaps the defining company in the music revolution of the past 20 years. With the introduction of the iPod that revolutionized portable music, to the creation of the iTunes store and the eventual death of DRM, Apple has been at the forefront of digital music. This leadership comes with high expectations to continue to lead, and so many people have long questioned Apple not getting into the streaming music business quicker. For the past few years new companies have come forth to lead the change in the streaming music evolution. From Pandora and its ability to create un

The Great Experiment

Recently, a tech journalist that I've followed for many years, and who is an Apple fanboy, posted a series talking about why he switched from an iPhone to an Android phone . It's a good read, and worth the time to see why he made the decision he did. Since I have a Verizon Galaxy Nexus sitting on my desk as a Wi-Fi device, I thought, "What the heck, let's give this a go for a week." So for the past week I've shelved my trusty iPhone 5 and have delved deep into the world of stock Android 4.1. So in the spirit of "copying is the sincerest form of flattery" here's my write-up of my experiences with Google's mobile OS. First, I need to make one caveat. After using the Nexus for a week I have to say that I do NOT like this device. It constantly loses 4G signal, and the battery life almost makes it unusable. I could barely make it to lunch before I was at 20-30% battery. So in the spirit of fairness, if I truly wanted to switch full time to Andro

CES 2013

This past week was a big week for the tech industry, with the holding of the Consumer Electronics Show 2013. Recent years have been a bit 'meh', but this year really had some interesting tech show up. In particular the theme seemed to be changes coming to our living room TV's. Much of what we saw this year revolved around ways to get entertainment to our TV's with set top boxes that tie into other services, or all new TV technology like 4k (Ultra High Defenition). Personally, I'm less excited about UHD, since I just bought a new TV, and am quite happy with it. Plus, I don't think we have the internet bandwidth for UHD content yet. The really cool advances are less technological for me, but structural. One of the things I love about internet delivered entertainment, is the ability to control what you watch a LOT more than the old days of flipping cable channels. I love the idea of discovering a new show, downloading an entire season and devouring it as quickl