Advertisment

Who moved my cement?

What you thought as tucked away around a pile of bricks in some IT backyard, has become converged, programmable, open, commoditised and what not in a matter of few months. And we believed that a watched pot never boils!

author-image
Pratima Harigunani
New Update
ID

Pratima H

Advertisment

INDIA: Is there a dark side to digital economy? More software and less hardware - are we ready for that new Infra-mix yet? Would hyper-convergence bring in a new array of complexities? What can be done to avert critical infrastructure being swallowed by security threats?

Tom Scholtz, VP & Gartner Fellow gives us a few minutes to sort out this new multi-layered, pastiche-like, fiercely alive and ferociously changing brick wall that IT infrastructure has turned into. The moot point – we know it’s getting better, but is it getting any simpler?

With warnings like Kaspersky Labs' pointing that critical infrastructures are under threat, how sure can enterprises be of their core infrastructure stability?

Advertisment

If critical infrastructure facets can mean utilities etc being open to attack, then it’s a question of ‘when’ and not ‘if’ any more. A recent study we did on ‘How Internet of Things (IoT) impacts security’ tells a bit on the ‘where’ as well as the ‘when’. Security is a continuous race and everything keeps changing fast so we advise people to do more ‘what-if’ exercises and be a little ‘forward-looking’ even if being proactive is impossible.

When infrastructure has become programmable, does that signify more complications coming in?

On one hand infrastructure has become a lot more dynamic than it was and has turned more self-dependable, more intelligent and everything. But on the other hand, vendors without enough solid intelligence built inside this new iron could lead to more vulnerabilities. The point of concern here is that software can always increase vulnerability or the potential footprint of vulnerability. To inject more software into hardware (ex-SDN or Software Defined Networking) can make it smarter but it should also be dent-proof. This trend is a double-edged sword so enterprises should find out what level of security is built in. It is a mindset game also and only market thrust can push such in-built factors into a product’s life cycle.

Advertisment

At a recent Gartner summit on infrastructure you spoke on an interesting subject – The Dark side of Digital Economy? What paints it dark?

Digital business world has provided a lot of opportunities unleashing Big Data, Mobility, Cloud, IoT etc. But the sheer volume of devices characterizes it in a different way. Business side is taking over IT but they need to manage security in a world of too many devices with not too much control. We see new concerns emerging that point that security leaders in organizations pursuing a digital workplace must rethink their approach to security. Like - Changing circumstances in how employees exploit technology predicate a change in conventional security strategies; or how increasing adoption of a more mobile, social, data-driven and consumer like workplace — which Gartner calls the "digital workplace" — breaks traditional security models and strategies.

The challenge is that security organizations and leaders that fail to alter strategies to accommodate a more consumerized workforce will be sidelined by engaged organizations.

Advertisment

How serious is the milieu we are entering?

One of our observations reveals that by 2018, 25 per cent of large organizations will have an explicit strategy to make their corporate computing environments similar to a consumer computing experience. Also, by 2018, 25 per cent of large organizations will use customer-oriented digital marketing to improve employee engagement. You may also see that by 2020, more than 80 per cent of enterprises will allow unrestricted access to noncritical assets (compare it to less than five per cent today), and reduce spending on identity and access management by 25 per cent. What is also interesting to note is that by 2017, firms that focus on security knowledge or awareness will see 50 per cent more user-generated incidents than those that focus on modifying behaviors — up from a 20 per cent difference in 2013.

How can those dark contours be re-painted then?

Advertisment

As organizations shift toward a more consumer like mobile, social and data-driven work environment, long-held approaches to security need to be re-examined. We should realize that implementation of a digital workplace exacerbates the IT department's loss of control over endpoint devices, servers, the network and applications. In a fully consumerized workplace, the information layer becomes the primary infrastructure focal point for security control. This reality necessitates a shift toward a more information-focused security strategy. The prevailing principle in engaged organizations will change from "everything that isn't allowed is forbidden" to "everything that is not expressly forbidden is allowed”. So a good recommendation is to adopt an information-centric security approach that requires minimal control of endpoints; to consider transaction integrity monitoring to be an extension of the information-centric security focus and at the same time abandon "default to deny" for application domains that will be impacted by a digital workplace, and apply "least privilege" controls selectively.

Any word on what waves like Open Compute, KVM, Open Stack etc are doing to core hardware world? Or why have we started hearing more on hyper-converged infrastructures from Cisco, IBM, HP, VMware and the likes?

It is tough to comment on this area but the more standardized things become the more open and easier they turn for collaboration on security. The more someone opens oneself for the best interests of knowledge the more we can see space for coming together and making security-strong solutions.

digital security