Businesses reduce risk by burying bugs deep in the network

With companies unwilling to spend on IT, a careful approach of placing unpatchable systems at the core of the network could squeeze more life out of assets, while maintaining an acceptable level of risk.

Businesses are clinging on to their infrastructure to squeeze every last bit of value out of them. Done correctly, they could represent a cost saving without compromising on security.

According to Dimension Data director of solutions Neil Campbell, when it comes to the network, vulnerabilities aren't being eliminated the same way that bugs are reduced in software, because many organisations are afraid of the consequences of tampering with a physical piece of hardware.

"Vulnerabilities will exist right up to the point that that piece of infrastructure is moved out of the network and replaced by something newer, which doesn't have those vulnerabilities anymore. That tends to be what reduced vulnerabilities in a network — a hardware refresh — rather than a programmatic approach to patching."

However, as research company Forrester recently pointed out , Australian spending on IT has taken a more cautious approach as the nation looks to China's economy for cues on whether to spend.

Dimension Data's own view, presented in its 2013 Network Barometer Report, shows a similar approach, with Australian organisations "selectively sweating" their assets — using them beyond their typical end-of-sale date where that particular is no longer offered for sale — even though they are approaching obsolescence.

Campbell said that such practices might increase the exposure of a business to certain security threats, but, depending on the business, still keep them within an acceptable level of risk.

He explained that the closer a switch or router is to the internet, the greater the risk to the organisation. However, organisations that play their cards right could sweat their infrastructure.

"If it's buried in the core of the network and you have other controls around it, it should be, generally, much less of a concern, but that's very much an individual decision that each organisation needs to take."

The report warned companies to not be complacent, even though the overall number in networking equipment is dropping, but conversely said that some vulnerabilities will be so expensive, disruptive, and impractical to patch that it's best to focus on those more at-risk pieces of equipment closer to the internet.

This means that to sweat assets in the right way, a better way of thinking about the architecture of an organisation's network is required once the eventual refresh of infrastructure comes around. The report says the benefits of doing so, aside from protecting hard-to-upgrade equipment at the core of the network, would help alleviate the pressures of having to respond to enterprise mobility and trends like the consumerisation of IT.

For some businesses, however, sweating assets will simply not be an option. Campbell used the example of a medical profession using tele-surgery as one such case where any form of network outage could be life threatening.

In contrast, an educational institution that has a network disruption could have a level of acceptable risk, as while there would be a disruption to its operations, it is unlikely to have catastrophic consequences.

"Risk is a very individual thing. What's risky for one organisation is absolutely acceptable for another."