Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/6/2019
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Trust the Stack, Not the People

A completely trusted stack lets the enterprise be confident that apps and data are treated and protected wherever they are.

With great power comes great responsibility. Just ask Spider-Man — or a 20-something system administrator running a multimillion-dollar IT environment. Enterprise IT infrastructures today are incredibly powerful tools. Highly dynamic and dangerously efficient, they enable what used to take weeks to now be accomplished — or destroyed — with a couple of mouse clicks.

In the hands of an attacker, abuse of this power can dent a company's profits, reputation, brand — even threaten its survival. But even good actors with good intentions can make mistakes, with calamitous results. Bottom line: The combination of great power with human fallibility is a recipe for disaster. So, what's an IT organization to do?

Answer: Trust the stack, not the people.

I'd love to be able to take credit for coining this phrase. But the saying was coined by IBM Distinguished Engineer Jerry Denman, the company's industry platforms chief cloud architect and vice president. Jerry used the term in a recent public forum to assure customers that IBM's stack is built on a very trustworthy foundation.

To be clear, the stack here refers to the foundation of compute, network, and storage upon which developers build applications. When construction workers erect a skyscraper, they first build a deep foundation and frame of girders on which to hang the structure. That's the stack. And the workers who add windows, walls, carpeted spaces, etc., are like the app developers. They shouldn't have to give the stack a second thought. Its availability is a given.

Not all stacks are created equal. Those most deserving of your trust are built by seasoned security professionals and operations specialists who are intimately involved in the design and architecture of the system. The systems and processes they create — and then automate — are the result of extremely thoughtful consideration.

That said, it's not even about trusting the people who have knowledge of and build the foundation. Rather, it's about building trust into the foundation as best you can so that the developers and system administrators who manage that stack don't have to … well, think too much! To use another analogy, it's like driving a car. You don't worry about how the suspension, internal combustion and electric motor are working. All of those, including the safety mechanisms, just work. All you need to focus on is driving.

The Rolls-Royce of trustworthy stacks checks several key boxes. It offers unified, policy-based controls for multicloud infrastructures. Let's break that down a little. Multicloud infrastructure — that is, infrastructure that spans public, private, and/or hybrid cloud environments — is the target. As I explained in a previous column, a security policy is simply what you decide a priori is the correct behavior versus what is wrong. The security controls for these multicloud infrastructures are based on policies that you've predetermined are "the right thing to do," and you have unified them across those infrastructures. This is unique.

But don't all IT organizations use controls to secure their stack? Generally, yes. If they use just public clouds such as IBM Cloud or Amazon Web Services, they may have controls for that particular environment. More enlightened organizations might have policy-based controls. But policy-based controls that are unified across multicloud infrastructures? That is unique — and it makes for a truly trustworthy stack.

What are the benefits of protecting the stack with an automated policy, compliance, and reporting solution? Perhaps the most obvious is the ability to assure all parts of your business that there is little to no risk in putting any and all applications and data on said stack. In addition, knowing that the stack is secure allows you to focus on other mission-critical aspects of your infrastructure, such as data protection, data replication, application resiliency, and so forth.

Perhaps less obviously, when you trust the stack over the people running it, it frees you up to allow your most valuable assets — the people you trust — to work on strategic and more complicated problems. That's because you can now assign the mundane tasks of running your virtual estate to more-junior or less-tenured admins, and in some cases even to outsourced help.

A stack that's trusted completely allows the enterprise to have total confidence that apps and data are treated and protected regardless of where they are — be that in a VMware on-premises environment, in a VMware hybrid cloud, AWS, containers, or something else. With the right solution, you can ensure that the same security policies and measures are applied across your entire cloud and all the while you are provided a correlated view into all administrator activity.

In the 2002 film of the same name, Spider-Man follows those famous words about great power and great responsibility with, "This is my gift, my curse." But with the right solution — a completely trusted stack — your highly dynamic, securely automated and efficient IT infrastructure can be all gift, no curse.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.