bluebay2014 - Fotolia
Published: 11 May 2015
IT infrastructure security isn't always a priority, and when we have it, it's never enough or applied in the wrong places.
Security is one of the most important areas of IT, especially in the wake of massive security breaches, such as those at Target and Home Depot, as well as high-profile software bugs in OpenSSL and NTP.
Budgetary restrictions are often blamed for security shortfalls, but there may be more to blame. We select products based on features and functions, and security issues aren't considered as much during the purchasing process. After that point, all we can do is hide the system behind a firewall, or enable the firewall to discern good traffic from bad. We can limit access by user, and obscure the name of the system in hopes that bad actors don't discover it, or know what it is when they do.
All of these are bandages that aren't scalable or supportable -- we need to fix IT infrastructure security problems at their source. Security controls are in the wrong place, and don't address the real problem: software has no security.
Software developers are less concerned about security because the people that hire them don't consider it. Specifications are written by non-technical staff who don't include security, specify encryption or prioritize user protection like decent passwords and two-factor authentication. And implementations are added by developers who are not properly trained in the technology, especially encryption.
A great example is my bank, which doesn't allow passwords with semicolons, percent signs or spaces. Why not? They're likely trying to protect against a SQL injection attack, in which these characters subvert the way the application works with the database it uses. It really means that their application has weak security. They compromise my account safety because they don't sanitize their application's input.
There are thousands of examples of bad security, especially as we get farther down the stack into infrastructure. Our data centers are filled with products that ship with default passwords, communication protocols enabled, and no firewalling or IP-level access control. Vendors should always be working to make security easier to implement, at all levels of the IT infrastructure. I applaud the vendors that make it easier to secure their products and ship products in more secure configurations.
The data center industry needs to insist on IT security up front. Some of the first questions when inquiring a product should be about security features, like encryption of data, password handling, two-factor authentication and IP restrictions. Cut through vendor bias and insist on real answers. Finally, stop buying and using products that don't have security features baked in.
Bob Plankers is a virtualization and cloud architect at a major Midwestern university.
What policies should be in a cloud infrastructure security program?
Creating a good IT security policy