The Security Apartheid: The beginning of the end?

Security has been notably absent from earlier evolutions in the computing industry. For long, the industry has evolved through two parallel universes: 1) The IT infrastructure universe creating innovative techniques to compute, communicate and store information with little to no security consideration and 2) the IT security universe trying to solve the security problems newly created by IT innovators.

As examples, the Internet Society standardized SSL in January 1999 (RFC2246), almost three years after the publication of the HTTP standard in May 1996 (RFC1945). It took almost seven years for Microsoft to move from Windows NT® 3.1 to Windows 2000® and have a version of a network operating system embedding a comprehensive distributed security architecture based on Kerberos.

The segregation between the IT infrastructure universe and the security universe has created artificial markets for bolt-on security products and a lot of frustration for practitioners triggered by the lack of efficiency and manageability of such approaches. It has also resulted in an unhealthy relationship between security departments and IT departments that could simplistically be summarized as follows:

  1. IT departments embrace emerging technology even if it has little security built in
  2. Security departments oppose any new technology until they bend to the business benefits or viral adoptions of these new technologies
  3. Security departments struggle to find solutions to the security gaps introduced by newly deployed technologies.

The emergence of cloud computing is offering hope that we will not repeat the mistakes of the past. Security and trust are central to the architectures being built by cloud computing vendors (see recent post on “The security-aware cloud”). However this artificial segregation will not disappear until the entire IT ecosystem from practitioners to vendors start considering that security and infrastructure are one and the same.

On the vendor side, the cracks started appearing a few years ago with the acquisition of RSA by EMC and more and more the security providers are the same vendors that deliver IT infrastructures: EMC, Cisco, Microsoft, IBM, or Oracle.

Two recent studies on the extended enterprise are showing signs that practitioners are following suit.

In the fourth report published by RSA and the Security for Business Innovation Council titled “Charting the Path: Enabling the “Hyper-Extended” Enterprise in the Face of Unprecedented Risk” a panel of Chief Security Officers offers their view on a set of emerging technologies and offer strategies for leveraging these technologies while managing risk.
The report’s call for information security departments to “proactively embrace new technology on your own terms” is an acknowledgement that the culture of systematic opposition exhibited by many security departments in the past has failed. It is a critical step towards bridging the gap between IT infrastructure and security teams.

On the other end of the fence, the second research from IDG and commissioned by RSA surveyed 100 top IT executives, a majority of which did not have security responsibilities. On one hand, the report titled “As Hyper-extended Enterprises Grow, So Do Security Risks” highlights some of the same old behavior, with two-thirds of the respondents who have some application or business process running in the cloud admitting that they do not yet have a security strategy in place for cloud computing. On the other hand, an overwhelming majority of respondents (80+%) agree that organizations should move away from siloed approaches to security and that enterprise security professionals must collaborate across organizations.

With security and IT practitioners both admitting to the need to desegregate security and cloud computing providers making security central to their strategy, we are poised for the first time in the computing industry to have a major computing evolution with security built-in. I cannot wait to be part of it!

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize
Topics in this article