enterprisesecuritymag

Morphing Enterprise Architecture Tramples Security Capabilities

By Connie Barrera, CISO at Jackson Health System

Connie Barrera, CISO at Jackson Health System

Enterprise IT architectures have become a mammoth web of different solutions and technologies across all business sectors. From manufacturing to healthcare, the rapid adoption of cloud, mobile, and virtual technologies, has placed a strain on even the most competent technology teams. During the past 10-15 years, most IT Divisions seemed to carve roles and responsibilities to facility cookie-cutter approaches. Unfortunately, technology does not play by those rules.

Historically, a server administrator handled all needs for a system, from racking the equipment in the data center to all installations and backups. Today, those functions have been split up, yielding clumsy to disastrous results. Typically, you find a different team handling the micro-tasks across all environments which means, one team handles power/racking equipment, another the operating system, a different group manages the application- I could go on. In theory, this might seem efficient in certain ways, but in reality, this results in awkward system management, troubleshooting nightmares, and increased threat surface, because no one is looking at the big picture.

Ironically, while functional roles in IT have been sliced narrowly to apparent simple processes, virtualization flips this concept upside down, mandating traditional server folks become network engineers. Astonishing, you can still often find server engineers that don’t realize there is a virtual network switch within the hypervisor. Why is this important? The hypervisor is a micro-universe, a network, within each chassis of virtual hosts. More often than not, inter-virtual host security goes largely ignored, which is a significant threat to the systems and the data within.

The use of the Internet of Things (IoT), smart devices, continues to surge. Within the next ten years, research organizations project the number of connected devices to reach around 30 billion.  From smart golf clubs for entertainment to any number of tech gadgets used in production lines and other business-critical functions, IoT has become commonplace on enterprise networks. The issue?  Security lags grossly behind technology innovation, and IoT is not an exception. The race to market has resulted in technology with deficient to absent security capabilities. Not surprisingly, it has been proven how easily these devices can be hacked and used to penetrate a network, steal data, or eavesdrop on any number of private conversations. The standard port 80 and 443, for Internet communication, is enough to allow attackers to compromise these fragile devices and ultimately the business network, which was believed to be ‘secure.’

How about business data walking away? That’s what happens every time an employee, associate, or contractor, walks away with a mobile device containing organizational data.  It’s 2019, and yet, we still find mobile devices with sensitive data unencrypted and even without password protection. Even when data is encrypted, in most cases, the moment data is copied or transmitted, and the organization loses control over it. Other times, large quantities of data is being exfiltrated, in the absence of a breach, simply in the course of using corporate email.  When conducting an informal poll, quasi “man-on-the-street” interviews, the average user adamantly believes, they do not have any sensitive data within their email. This, of course, is not true. Most users have a substantial amount of sensitive data within their electronic mailboxes. Both situations pose a huge risk for most businesses.

Where do we go from here? How do we move ahead, embracing innovation without allowing the morphing nature of enterprise technology to trample all over security, leaving the business at risk? There’s no magic wand, but IT shops everywhere would be wise to pay closer attention to vetting technology before procurement, to identify any red flags. In addition, integrated partnerships with the security team is essential. Whether dealing with hardware or software, dissecting how something works is vital and not just knowing how to install and configure the solution but even more importantly, knowing what ports, processes, files, registry entries, etc., are required. Also, effective and continual training of both your end users and technical teams is indispensable in minimizing risk.

While all of these recommendations yield solid results in creating and maintaining a secure network, this still leaves organizations short of the goal. Restructuring the way IT operates is overdue. Innovative thinking for team building and the re-imagining of functional roles is needed. The IT roles that have existed for the past 20-30 years are just not effective today.  Functional teams, responsible for both the big picture and operational details, coupled with the right incentives, will help drive success. Technology changes, yet IT Divisions have been the poster child of “suspended in time”- and it’s not working. IT must also evolve and innovate from within.

Finally, there is a time to say “no,” but technology is literally all around us, and trying to contain it, is a futile battle. Instead, building a robust and agile security framework and architecture will allow the organization to meet the challenges of today and the unknown threats of tomorrow.

Read Also

How to get your information security to lift more weight

How to get your information security to lift more weight

Carric Dooley , Worldwide VP of Foundstone Services, Intel Security

Weekly Brief