Page 12 - 2016
P. 12
Aid-like approach, the addition of mobile (and IoT Just as we thought we were getting a handle on
infrastructure) complexity has created a horse-before-the- infrastructure visibility via the CMDB, mobile computing
cart approach to fortifying potential avenues of network ups the ante for datacenter security. And though we seem
intrusion by malicious hackers. to have the stomach for it InfoSec spending is up in 2015
five percent from 2014 we are still tactical and reactive to
Garbani likens this approach to building a car part-by-part, building and securing IT and it seems that we will never
instead of going to your local dealership and purchasing get it all put together correctly, like the parts strewn all over
one off of the show floor. �The way we are building our garages.
datacenters now is like going to the auto parts store and
ordering the parts for the car separately and then going Our approach to building IT infrastructures is not strategic,
home and attempting to put it together in your garage,� but that�s okay, neither is our HR approach to IT.
Garbani says. �In this way we will never have an efficient
car; it may never run. And this is how we are building IT Garbani�s IT acumen dates back to the 1970s, a much
today.� simpler time for IT when the lines were black and white for
perimeter security essentially, you were either inside the
The addition of mobile applications outside the perimeter perimeter or you were outside. Because infrastructures
that have access 24/7 to the network adds an exponential were less complex in 1980, 26mb of disk space would
layer of complexity to the CISO trying to secure corporate have cost you roughly $5,000 the human resources to
data. �We have a traditional view of IT, but there�s nothing manage the complexity was also simpler.
traditional about defending the network from mobile
points of intrusion,� says Greg Young, vice president of �Forty years ago we didn�t have security problems. Things
research at Gartner, a leading global IT research and were very simple,� says Garbani. �I had everything in my
advisory company. head and so did the people I worked with. Today, there is
no single view across all systems nor is there an inkling of
Young describes an IT scenario that is complex but that is what systems are talking to one another and this is a big
still manageable. �The rules have changed (with mobile problem for service delivery and security.�
points of intrusion) and we have attempted to go to new
abstract models, but those haven�t worked out so well,� he Garbani makes the point that because of the specialization
adds. �We could give up on (protecting) the perimeter and of human resources in IT, perhaps it is better to put
merely protect the host, but this exposes your datacenter.� everything in the cloud and let specialists manage it for us
Alternately, Young posits, CISOs could develop �zero but that this route might be decades away. �We need
trust� networks with single points of failure, but the bridges that span across disciplines, or we need to put it all
restriction in this scenario would lead to the removal of in the cloud and let specialists manage it,� Garbani adds.
decision support and functional business applications such
as email, web-based apps and file sharing outside the �Years ago, operations people didn�t understand software,
perimeter. and people doing software didn�t understand hardware,
and the specialization continued to where today nobody
The advances in the past 10 years in outside-the-perimeter can have it all in their heads. There needs to be bridges
applications and mobile device connectivity has all but across these disciplines yet the only bridges now are at the
broken down the walls of perimeter defense and created architecture level and architects aren�t (infrastructure)
seemingly unmanageable complexity for proactive security. builders, they are designers.�
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 12
