Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/6/2019
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Trust the Stack, Not the People

A completely trusted stack lets the enterprise be confident that apps and data are treated and protected wherever they are.

With great power comes great responsibility. Just ask Spider-Man — or a 20-something system administrator running a multimillion-dollar IT environment. Enterprise IT infrastructures today are incredibly powerful tools. Highly dynamic and dangerously efficient, they enable what used to take weeks to now be accomplished — or destroyed — with a couple of mouse clicks.

In the hands of an attacker, abuse of this power can dent a company's profits, reputation, brand — even threaten its survival. But even good actors with good intentions can make mistakes, with calamitous results. Bottom line: The combination of great power with human fallibility is a recipe for disaster. So, what's an IT organization to do?

Answer: Trust the stack, not the people.

I'd love to be able to take credit for coining this phrase. But the saying was coined by IBM Distinguished Engineer Jerry Denman, the company's industry platforms chief cloud architect and vice president. Jerry used the term in a recent public forum to assure customers that IBM's stack is built on a very trustworthy foundation.

To be clear, the stack here refers to the foundation of compute, network, and storage upon which developers build applications. When construction workers erect a skyscraper, they first build a deep foundation and frame of girders on which to hang the structure. That's the stack. And the workers who add windows, walls, carpeted spaces, etc., are like the app developers. They shouldn't have to give the stack a second thought. Its availability is a given.

Not all stacks are created equal. Those most deserving of your trust are built by seasoned security professionals and operations specialists who are intimately involved in the design and architecture of the system. The systems and processes they create — and then automate — are the result of extremely thoughtful consideration.

That said, it's not even about trusting the people who have knowledge of and build the foundation. Rather, it's about building trust into the foundation as best you can so that the developers and system administrators who manage that stack don't have to … well, think too much! To use another analogy, it's like driving a car. You don't worry about how the suspension, internal combustion and electric motor are working. All of those, including the safety mechanisms, just work. All you need to focus on is driving.

The Rolls-Royce of trustworthy stacks checks several key boxes. It offers unified, policy-based controls for multicloud infrastructures. Let's break that down a little. Multicloud infrastructure — that is, infrastructure that spans public, private, and/or hybrid cloud environments — is the target. As I explained in a previous column, a security policy is simply what you decide a priori is the correct behavior versus what is wrong. The security controls for these multicloud infrastructures are based on policies that you've predetermined are "the right thing to do," and you have unified them across those infrastructures. This is unique.

But don't all IT organizations use controls to secure their stack? Generally, yes. If they use just public clouds such as IBM Cloud or Amazon Web Services, they may have controls for that particular environment. More enlightened organizations might have policy-based controls. But policy-based controls that are unified across multicloud infrastructures? That is unique — and it makes for a truly trustworthy stack.

What are the benefits of protecting the stack with an automated policy, compliance, and reporting solution? Perhaps the most obvious is the ability to assure all parts of your business that there is little to no risk in putting any and all applications and data on said stack. In addition, knowing that the stack is secure allows you to focus on other mission-critical aspects of your infrastructure, such as data protection, data replication, application resiliency, and so forth.

Perhaps less obviously, when you trust the stack over the people running it, it frees you up to allow your most valuable assets — the people you trust — to work on strategic and more complicated problems. That's because you can now assign the mundane tasks of running your virtual estate to more-junior or less-tenured admins, and in some cases even to outsourced help.

A stack that's trusted completely allows the enterprise to have total confidence that apps and data are treated and protected regardless of where they are — be that in a VMware on-premises environment, in a VMware hybrid cloud, AWS, containers, or something else. With the right solution, you can ensure that the same security policies and measures are applied across your entire cloud and all the while you are provided a correlated view into all administrator activity.

In the 2002 film of the same name, Spider-Man follows those famous words about great power and great responsibility with, "This is my gift, my curse." But with the right solution — a completely trusted stack — your highly dynamic, securely automated and efficient IT infrastructure can be all gift, no curse.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
CVE-2019-16393
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
CVE-2019-16394
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.