Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/6/2019
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Trust the Stack, Not the People

A completely trusted stack lets the enterprise be confident that apps and data are treated and protected wherever they are.

With great power comes great responsibility. Just ask Spider-Man — or a 20-something system administrator running a multimillion-dollar IT environment. Enterprise IT infrastructures today are incredibly powerful tools. Highly dynamic and dangerously efficient, they enable what used to take weeks to now be accomplished — or destroyed — with a couple of mouse clicks.

In the hands of an attacker, abuse of this power can dent a company's profits, reputation, brand — even threaten its survival. But even good actors with good intentions can make mistakes, with calamitous results. Bottom line: The combination of great power with human fallibility is a recipe for disaster. So, what's an IT organization to do?

Answer: Trust the stack, not the people.

I'd love to be able to take credit for coining this phrase. But the saying was coined by IBM Distinguished Engineer Jerry Denman, the company's industry platforms chief cloud architect and vice president. Jerry used the term in a recent public forum to assure customers that IBM's stack is built on a very trustworthy foundation.

To be clear, the stack here refers to the foundation of compute, network, and storage upon which developers build applications. When construction workers erect a skyscraper, they first build a deep foundation and frame of girders on which to hang the structure. That's the stack. And the workers who add windows, walls, carpeted spaces, etc., are like the app developers. They shouldn't have to give the stack a second thought. Its availability is a given.

Not all stacks are created equal. Those most deserving of your trust are built by seasoned security professionals and operations specialists who are intimately involved in the design and architecture of the system. The systems and processes they create — and then automate — are the result of extremely thoughtful consideration.

That said, it's not even about trusting the people who have knowledge of and build the foundation. Rather, it's about building trust into the foundation as best you can so that the developers and system administrators who manage that stack don't have to … well, think too much! To use another analogy, it's like driving a car. You don't worry about how the suspension, internal combustion and electric motor are working. All of those, including the safety mechanisms, just work. All you need to focus on is driving.

The Rolls-Royce of trustworthy stacks checks several key boxes. It offers unified, policy-based controls for multicloud infrastructures. Let's break that down a little. Multicloud infrastructure — that is, infrastructure that spans public, private, and/or hybrid cloud environments — is the target. As I explained in a previous column, a security policy is simply what you decide a priori is the correct behavior versus what is wrong. The security controls for these multicloud infrastructures are based on policies that you've predetermined are "the right thing to do," and you have unified them across those infrastructures. This is unique.

But don't all IT organizations use controls to secure their stack? Generally, yes. If they use just public clouds such as IBM Cloud or Amazon Web Services, they may have controls for that particular environment. More enlightened organizations might have policy-based controls. But policy-based controls that are unified across multicloud infrastructures? That is unique — and it makes for a truly trustworthy stack.

What are the benefits of protecting the stack with an automated policy, compliance, and reporting solution? Perhaps the most obvious is the ability to assure all parts of your business that there is little to no risk in putting any and all applications and data on said stack. In addition, knowing that the stack is secure allows you to focus on other mission-critical aspects of your infrastructure, such as data protection, data replication, application resiliency, and so forth.

Perhaps less obviously, when you trust the stack over the people running it, it frees you up to allow your most valuable assets — the people you trust — to work on strategic and more complicated problems. That's because you can now assign the mundane tasks of running your virtual estate to more-junior or less-tenured admins, and in some cases even to outsourced help.

A stack that's trusted completely allows the enterprise to have total confidence that apps and data are treated and protected regardless of where they are — be that in a VMware on-premises environment, in a VMware hybrid cloud, AWS, containers, or something else. With the right solution, you can ensure that the same security policies and measures are applied across your entire cloud and all the while you are provided a correlated view into all administrator activity.

In the 2002 film of the same name, Spider-Man follows those famous words about great power and great responsibility with, "This is my gift, my curse." But with the right solution — a completely trusted stack — your highly dynamic, securely automated and efficient IT infrastructure can be all gift, no curse.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...