Welcome to the first edition of Security Watch. What I’m hoping to do here is to bring the experience from the various projects I’m involved in to you, and articulate some best practices currently being implemented to deliver world class secure solutions. This first article is a combination of experiences in projects implementing total infrastructure change in organisations.
For those organisations who recovered from the dotcom crash, year 2000 and the overall market downturn there is a realisation that current infrastructure capabilities are either unsupported by the vendor or are not delivering against current business requirements. In most organisations, this opportunity for change can bring significant business benefit but also can be perceived to increase the risk of security violations.
Most security departments are very comfortable with their existing systems. Solutions based on Microsoft Windows NT 4, Novell NetWare and others are extremely well known and there is a great deal of skill and experience in those spaces. However these “legacy” platforms really do not cut the grade when matched against current business requirements with an increased focus on electronic commerce.
During a couple of engagements recently, I have come across a phenomenon that I last saw in the closing months of 1999; that of conflict between IT security departments and groups attempting to introduce new enterprise infrastructure platforms.
Current Australian outsourcing practices have shown that adversarial models are not the most appropriate or effective means of getting the job done, yet time and time again, I see conflict between security teams trying to engender best practices and well worn security models, and others trying to introduce as much flexibility as they can into the environment.
Current technology delivers a heap of benefits to security departments, not the least being the ability to centrally set the security policy and ensure that all connected devices adhere to these policies. Microsoft’s implementation of Group Policy under Windows 2000 and Windows 2003 is such a solution. This also delivers the ability to modify that policy at any time and have that implemented throughout the enterprise very rapidly.
However when implementing such solutions, I continually hit resistance to this functionality from security departments. More progressive ones have staff trained in these new tools and techniques, yet many others are more specifically skilled in the existing environment.
Questions such as “how exactly does this differ?” and “tell us what we don’t know” to implementation teams don’t work. The answer usually revolves around the “how long is a piece of string” argument.
These new solutions have really been written from the ground up. They offer significant opportunity to secure the infrastructure and overall enterprise. Some skills and knowledge transfer between versions, however it’s key that these new tools are used to greatest effect.
Probably the first team that should get trained when a new infrastructure is being proposed is the security team. It’s key that they are up to speed before implementation to ensure the design is aligned with corporate standards. In organisations where the security team has played an active role in design, this has been most effective; in those where the security team get to comment during testing or worse still during pilot, the results are normally disastrous.
The key take-away from this is most organisations will undergo significant infrastructure change in the next eighteen months and if security teams are not ready and able to assist and guide, the results will be mixed at best. At worst, the new infrastructure may be deployed massively behind schedule with a plethora of compromises reducing the supportability of the enterprise.
Nick Beaugeard has been an IT consultant for the last 12 years, focusing on delivering enterprisewide systems management solutions to large global organizations across four continents. Beaugeard is a principal of the Bellerephon group, an Australian company targeted at delivering end to end systems management solutions to large organisations. He can be reached via e-mail at firstname.lastname@example.org.