Andrew Buss, originally published on Computing
Do you know what’s running in your network?
In this time of ever increasing security threats and hacking attacks, a recent meeting I was at brought home the old adage, “If you can’t manage it, you can’t secure it”. I was talking to a major web services company that provides large scale hosting (no prizes for guessing who). Because of what they do, security naturally plays a massive role in their service architecture.
A large part of the success of their security implementation comes down to a combination of knowing what to protect and how to protect it. Knowing what to protect comes naturally, because they have to bill customers for resources or services used. As a result they know – to a very high degree – what is running on their infrastructure at any point in time, and can also flag up when unauthorised or suspicious services attempt to run.
When it comes to the how of protecting applications and services, they have invested in developing security policies and frameworks – based around standards such as PCI DSS, ISO 27001 or HIPAA – that are regularly – and independently – assessed and audited.
This type of investment in management and security is natural for service providers because it is core to what they do (although some do this far better than others). Yet when it comes to internal IT, our research shows that security and management are often areas that are a struggle.
A recent survey indicated that a large proportion of companies never have their security capability independently assessed, and even fewer undergo external auditing. Our on-going research into systems and service management continues to highlight that effective service and asset management – the foundations of good IT practice – are the preserve of the few rather than the domain of the many.
When it comes to improving the situation, one option of course could be to start to move applications into the cloud. But for many, this is not really a viable strategy in the short or even medium term. This means that any improvements needs to made to internal IT policies, processes and tooling.
Lessons can be learned from how the service providers approach security and management in service delivery to improve the situation internally. If we consider this at the fundamental level, this is really the right way to secure and run IT. This means that getting serious about investing in management. Too often management is neglected and the fallout is dealt with as an IT operations overhead. But with the changing and ever more serious threat landscape good management it is no longer an IT option, it is a business necessity.