bluebay2014 - Fotolia

Get started Bring yourself up to speed with our introductory content.

Time to rebuild your IT infrastructure security policy

The one constant in IT has always been security -- or a lack thereof. Don't wait to address security policy issues before it's too late.

This article can also be found in the Premium Editorial Download: Modern Infrastructure: Container technology thrives for IT:

IT infrastructure security isn't always a priority, and when we have it, it's never enough or applied in the wrong places.

Security is one of the most important areas of IT, especially in the wake of massive security breaches, such as those at Target and Home Depot, as well as high-profile software bugs in OpenSSL and NTP.

Security controls are in the wrong place, and don't address the real problem: software has no security.

 

Budgetary restrictions are often blamed for security shortfalls, but there may be more to blame. We select products based on features and functions, and security issues aren't considered as much during the purchasing process. After that point, all we can do is hide the system behind a firewall, or enable the firewall to discern good traffic from bad. We can limit access by user, and obscure the name of the system in hopes that bad actors don't discover it, or know what it is when they do.

All of these are bandages that aren't scalable or supportable -- we need to fix IT infrastructure security problems at their source. Security controls are in the wrong place, and don't address the real problem: software has no security.

Software developers are less concerned about security because the people that hire them don't consider it. Specifications are written by non-technical staff who don't include security, specify encryption or prioritize user protection like decent passwords and two-factor authentication. And implementations are added by developers who are not properly trained in the technology, especially encryption.

A great example is my bank, which doesn't allow passwords with semicolons, percent signs or spaces. Why not? They're likely trying to protect against a SQL injection attack, in which these characters subvert the way the application works with the database it uses. It really means that their application has weak security. They compromise my account safety because they don't sanitize their application's input.

There are thousands of examples of bad security, especially as we get farther down the stack into infrastructure. Our data centers are filled with products that ship with default passwords, communication protocols enabled, and no firewalling or IP-level access control. Vendors should always be working to make security easier to implement, at all levels of the IT infrastructure. I applaud the vendors that make it easier to secure their products and ship products in more secure configurations.

The data center industry needs to insist on IT security up front. Some of the first questions when inquiring a product should be about security features, like encryption of data, password handling, two-factor authentication and IP restrictions. Cut through vendor bias and insist on real answers. Finally, stop buying and using products that don't have security features baked in.

Bob Plankers is a virtualization and cloud architect at a major Midwestern university.

Next Steps

What policies should be in a cloud infrastructure security program?

Creating a good IT security policy

This was last published in May 2015

Dig Deeper on Real-Time Performance Monitoring and Management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has your infrastructure security policy evolved?
Cancel

-ADS BY GOOGLE

SearchDataCenter

SearchAWS

SearchServerVirtualization

SearchCloudApplications

SearchCloudComputing

DevOpsAgenda

Close