Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/6/2019
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Trust the Stack, Not the People

A completely trusted stack lets the enterprise be confident that apps and data are treated and protected wherever they are.

With great power comes great responsibility. Just ask Spider-Man — or a 20-something system administrator running a multimillion-dollar IT environment. Enterprise IT infrastructures today are incredibly powerful tools. Highly dynamic and dangerously efficient, they enable what used to take weeks to now be accomplished — or destroyed — with a couple of mouse clicks.

In the hands of an attacker, abuse of this power can dent a company's profits, reputation, brand — even threaten its survival. But even good actors with good intentions can make mistakes, with calamitous results. Bottom line: The combination of great power with human fallibility is a recipe for disaster. So, what's an IT organization to do?

Answer: Trust the stack, not the people.

I'd love to be able to take credit for coining this phrase. But the saying was coined by IBM Distinguished Engineer Jerry Denman, the company's industry platforms chief cloud architect and vice president. Jerry used the term in a recent public forum to assure customers that IBM's stack is built on a very trustworthy foundation.

To be clear, the stack here refers to the foundation of compute, network, and storage upon which developers build applications. When construction workers erect a skyscraper, they first build a deep foundation and frame of girders on which to hang the structure. That's the stack. And the workers who add windows, walls, carpeted spaces, etc., are like the app developers. They shouldn't have to give the stack a second thought. Its availability is a given.

Not all stacks are created equal. Those most deserving of your trust are built by seasoned security professionals and operations specialists who are intimately involved in the design and architecture of the system. The systems and processes they create — and then automate — are the result of extremely thoughtful consideration.

That said, it's not even about trusting the people who have knowledge of and build the foundation. Rather, it's about building trust into the foundation as best you can so that the developers and system administrators who manage that stack don't have to … well, think too much! To use another analogy, it's like driving a car. You don't worry about how the suspension, internal combustion and electric motor are working. All of those, including the safety mechanisms, just work. All you need to focus on is driving.

The Rolls-Royce of trustworthy stacks checks several key boxes. It offers unified, policy-based controls for multicloud infrastructures. Let's break that down a little. Multicloud infrastructure — that is, infrastructure that spans public, private, and/or hybrid cloud environments — is the target. As I explained in a previous column, a security policy is simply what you decide a priori is the correct behavior versus what is wrong. The security controls for these multicloud infrastructures are based on policies that you've predetermined are "the right thing to do," and you have unified them across those infrastructures. This is unique.

But don't all IT organizations use controls to secure their stack? Generally, yes. If they use just public clouds such as IBM Cloud or Amazon Web Services, they may have controls for that particular environment. More enlightened organizations might have policy-based controls. But policy-based controls that are unified across multicloud infrastructures? That is unique — and it makes for a truly trustworthy stack.

What are the benefits of protecting the stack with an automated policy, compliance, and reporting solution? Perhaps the most obvious is the ability to assure all parts of your business that there is little to no risk in putting any and all applications and data on said stack. In addition, knowing that the stack is secure allows you to focus on other mission-critical aspects of your infrastructure, such as data protection, data replication, application resiliency, and so forth.

Perhaps less obviously, when you trust the stack over the people running it, it frees you up to allow your most valuable assets — the people you trust — to work on strategic and more complicated problems. That's because you can now assign the mundane tasks of running your virtual estate to more-junior or less-tenured admins, and in some cases even to outsourced help.

A stack that's trusted completely allows the enterprise to have total confidence that apps and data are treated and protected regardless of where they are — be that in a VMware on-premises environment, in a VMware hybrid cloud, AWS, containers, or something else. With the right solution, you can ensure that the same security policies and measures are applied across your entire cloud and all the while you are provided a correlated view into all administrator activity.

In the 2002 film of the same name, Spider-Man follows those famous words about great power and great responsibility with, "This is my gift, my curse." But with the right solution — a completely trusted stack — your highly dynamic, securely automated and efficient IT infrastructure can be all gift, no curse.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...