Security has been notably absent from earlier evolutions in the computing industry. For long, the industry has evolved through two parallel universes: 1) The IT infrastructure universe creating innovative techniques to compute, communicate and store information with little to no security consideration and 2) the IT security universe trying to solve the security problems newly created by IT innovators.
As examples, the Internet Society standardized SSL in January 1999 (RFC2246), almost three years after the publication of the HTTP standard in May 1996 (RFC1945). It took almost seven years for Microsoft to move from Windows NT® 3.1 to Windows 2000® and have a version of a network operating system embedding a comprehensive distributed security architecture based on Kerberos.
The segregation between the IT infrastructure universe and the security universe has created artificial markets for bolt-on security products and a lot of frustration for practitioners triggered by the lack of efficiency and manageability of such approaches. It has also resulted in an unhealthy relationship between security departments and IT departments that could simplistically be summarized as follows:
- IT departments embrace emerging technology even if it has little security built in
- Security departments oppose any new technology until they bend to the business benefits or viral adoptions of these new technologies
- Security departments struggle to find solutions to the security gaps introduced by newly deployed technologies.
The emergence of cloud computing is offering hope that we will not repeat the mistakes of the past. Security and trust are central to the architectures being built by cloud computing vendors (see recent post on “The security-aware cloud”). However this artificial segregation will not disappear until the entire IT ecosystem from practitioners to vendors start considering that security and infrastructure are one and the same.
On the vendor side, the cracks started appearing a few years ago with the acquisition of RSA by EMC and more and more the security providers are the same vendors that deliver IT infrastructures: EMC, Cisco, Microsoft, IBM, or Oracle.
Two recent studies on the extended enterprise are showing signs that practitioners are following suit.
In the fourth report published by RSA and the Security for Business Innovation Council titled “Charting the Path: Enabling the “Hyper-Extended” Enterprise in the Face of Unprecedented Risk” a panel of Chief Security Officers offers their view on a set of emerging technologies and offer strategies for leveraging these technologies while managing risk.
The report’s call for information security departments to “proactively embrace new technology on your own terms” is an acknowledgement that the culture of systematic opposition exhibited by many security departments in the past has failed. It is a critical step towards bridging the gap between IT infrastructure and security teams.
On the other end of the fence, the second research from IDG and commissioned by RSA surveyed 100 top IT executives, a majority of which did not have security responsibilities. On one hand, the report titled “As Hyper-extended Enterprises Grow, So Do Security Risks” highlights some of the same old behavior, with two-thirds of the respondents who have some application or business process running in the cloud admitting that they do not yet have a security strategy in place for cloud computing. On the other hand, an overwhelming majority of respondents (80+%) agree that organizations should move away from siloed approaches to security and that enterprise security professionals must collaborate across organizations.
With security and IT practitioners both admitting to the need to desegregate security and cloud computing providers making security central to their strategy, we are poised for the first time in the computing industry to have a major computing evolution with security built-in. I cannot wait to be part of it!