Ken Hess
Overhaul
Bit by bit
David Chernicoff
Best Argument: Overhaul
Audience Favored: Bit by bit (62%)
The moderator has delivered a final verdict.
Opening Statements
Desperate times call for desperate measures
Ken Hess: Things in IT change in one of two ways: evolution or revolution. One might believe that a logical, methodical, incremental pace is the way to fix data center security, but it isn't. Malevolent hackers, social engineers, and other data criminals don't use those techniques, so why should we do so as defenders?
But it isn't only 'over the network' attacks that need a revolutionary overhaul, it's also our data center's physical security that requires us to rethink and rebuild. For example, in multitenant data centers, external security is near military grade, but once you're allowed inside the chilly, raised floor server sanctuary, there are no such measures. Company A and Company B share those same spaces with dozens, or even hundreds, of other tenants. Shared data space isn't that uncommon and isn't necessarily a problem. The problem is that you're inside the data center, you have access to physical servers from a variety of customers, whether or not they know it.
Only a revolutionary overhaul of data center security can fix these two basic problems. An incremental approach is the wrong answer when facing these desperate times.
Don't jump into major upgrades with both feet
David Chernicoff: When security issues in your datacenter are identified the temptation is great to rip out the offending application or system and replace it with the latest and greatest solution from your vendor of choice. But if you’re getting that urge, sit down and have a cup of coffee while you think about it. The nature of the datacenter is one of an intimate ecosystem involving multiple vendors, different classes of hardware and software, and a significant effort to get everything into homeostasis.
The wholesale replacement of even a single component of that datacenter architecture means that in many ways you are starting from scratch, especially when you are dealing with the issue of security; one that touches on so many different pieces of the environment, and where a small error in configuration can cause cascading problems that shut down users or open up your systems to attack, or potentially both. Effectively dealing with a current security problem means evaluating the impact of your changes not only on addressing existing issues but how it will impact future growth.
A careful examination of the current problems and how they can be addressed while keeping an eye on the future means not jumping into major upgrades with both feet. A careful, considered approach of well-planned upgrades and efficient modifications to your security model will allow you to maintain a flexible and effective security infrastructure with minimal negative impact on your users.
Talkback
Too vague / situational . . .
The question as stated seems too vague and general to be answered.
Whether you need to overhaul things or just make incremental changes tends to be situational. Was the system built with security in mind to begin with? Is the system modular enough for the desired changes? Is there a lot of legacy code that may need to be rewritten? How large of a rewrite would we be talking about, and how expensive would it be?
To me, the very nature of this question tends to be highly situational. I don't think it's something that can really be answered in a generalized context.
I guess we'll see where the conversation goes.
"The cloud" is data centers
... and tell everyone to go cloud and forget about it?"
"The cloud" is data centers too, lest we forget. For all I know, when you say "data center," you could very well be talking about Amazon's or Microsoft's or Google's or any number of "cloud" providers. They have to be concerned about this stuff as much as anybody else who runs a data center.
No, "the cloud" is not a magical collection of fairy dust. It too runs on actual machines at actual data centers, and is subject to the same questions.
Correct
the cloud ???? LOL
Have a Cup of Coffee?
Strictly situational.
How much of that overhaul gets watered down by the time it gets to the grunts is the question. From their point of view, it might actually be a bit-by-bit change, whereas from the management point of view things are being radically changed.
For most things, I believe an overhaul is needed.
The problem starts with acquisition... If security is not considered a primary function, there will only be a patchwork security available. Not reliable, not secure, and just as vulnerable as most sites are now.
Depending on your situation.
As for a overhaul of the security it make long longer time to implement since it will require compatibility and testing for a period of time to get work properly before it get implemented and that is where bit-by-bit parts comes in, you implement most crucial parts first and then implement other parts later. For the budget conscious, the bit-by-bit method is best way as to to have large budget outlay as in the overhaul method. However, overhaul method is good if have the budget & could implement all of the systems all at once.
Again, it depends on your situation.
In the end...
The other problem is that overhauls tend to be put off until an opportune moment, which might never come; incremental things can be done quickly and they tend to add up.
There is occasionally a good reason for a complete overhaul of the system, but not very often.
the issue goes into the roots of o/s design
a band-aid ain't gonna help.
Nobody was suggesting band-aids
An overhaul probably isn't necessary. A proactive staff working to properly secure the data and educating their users on safe computing practices definitely is.