Editorial
We still talk about security as though it were a separate, compartmentalized function of information technology.
There are the people who build software, the folks who monitor and manage the infrastructure, the data scientists who make all those great animated charts for the annual presentations, and the magical people who build and repair systems.
And let’s see, I left out somebody. Oh yea, security guys.
Who Are These Guys?
Even in the process of planning and producing articles about information security, there is a noticeable switch to a unique motif, and a refocusing of the lens of attention upon folks best characterized in silhouettes and cameos: “hackers,” cyber-terrorists, think tanks stuffed with anti-social geniuses, whiz kids with classified résumés.
The most used clip art or still store libraries in almost any CMS belonging to a web tech publication is the one with the guy in the fedora and sunglasses trying to guess the CompuServe password.
Immediately, we imagine a whole universe of people other than ourselves, about as realistic as Lord of the Rings but only about as exciting as reality television.
This is where things start to go wrong from the very beginning.
Cyber-Wocky
Cloud technologies — or what I call “cloud dynamics” (the science behind the tech) — were successfully reconstructing the universe in which information security takes place.
“Securing the perimeter” was beginning to sound old-hat and out of place, like a rerun of Lawrence Welk on PBS’ Saturday schedule.
I’d link to the page but it no longer exists. (One wishes the same could be said of “champagne music.”)
Here’s part of what I wrote: “Security is not (thankfully) a service of anyone’s public relations department. For once, the businesspeople who have their minds fine-tuned to this problem are asking the right questions.
“The most important of these questions, in my opinion, is this: If in every massive breach incident, the fault can be traced to design, then why can’t cloud architectures enable designs for a virtual envelope that have no practical correlation — that are physically impossible?”
In successive years, this question has been asked and answered. The “virtual envelope with no practical correlation” is a data center architecture whose virtual configuration has no one-to-one bearing or relationship with physical servers.
If you’re a CMSWire reader, you’ve already guessed what I’m talking about: containerization, championed by Docker Inc. and either willingly embraced or reluctantly adopted by the rest of the data center industry.
Baked In
Completely rethinking the architecture of the data center has mandated a total overhaul of the very concept of security. Sure, we’ve had our debates about whether certain aspects of Docker are as secure as we’d like for them to be.
But by re-orchestrating workloads with tighter and more granular automation, we’ve already begun devising global, scalable systems where workloads are secure to begin with.
What do I mean by “secure?” In over three decades of work, I’ve had to ask and answer that question a thousand times over.
Here’s a definition you can take to the bank: A secure system is one whose intentional use does not cause damage or loss, and for which unintentional use would require more effort than is justified by its reward.
Containerized environments go hand-in-hand with continuous integration and continuous deployment. It’s through the constant, reiterative CI/CD process that secure processes and practices get baked into new software and services.
So we really are working towards a more secure data center and more reliable, efficient, and safe IT environment. That’s good news for the people who build software, the infrastructure admins, the data scientists, and the systems builders.
Learning Opportunities
Webinar
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
Webinar
Jun
1
How organizations can design, build and run Generative AI into the Customer Experience
Discover how to drive enhanced CX through Generative AI
Webinar
Jun
6
The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve
The impact of emerging technologies like AI on social media
Webinar
Jun
7
The Building Blocks of Personalization
This webinar will explore how personalization can create powerful ecommerce shopping experience.
Webinar
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
Did I leave anyone out?
King of the Mountain
In a few weeks’ time, all the various factions of the IT security industry will meet once again in San Francisco for RSA 2016.
When you work in an industry whose key value proposition is threatened by the evolution of technology, you do what you can to avoid walking gently into that good night, towards the realm of defunct IT publications and Lawrence Welk albums.
Thank heavens there are still security breaches happening everywhere, otherwise, who knows where the security industry would be today.
The “perimeters” of the modern data center don’t really exist anymore (thus, the “cloud” metaphor).
As the job of security passes from a separate department of folks in silhouettes wearing fedoras and sunglasses, to groups of otherwise better-dressed folks like developers, admins, and CIOs, it becomes much more difficult to play the old-fashioned role of Chief Information Security Officer.
On Thursday, CMSWire’s Joe Shepley advised CISOs to “Get your house in order,” “Deliver business value,” and “Gain authority.”
But authority over what? The data center is no longer a castle to be defended, a perimeter to be monitored, a territory to fight and die for.
The CISO role is in danger of obsolescence, like a civil defense officer. If all the CISO is enabled to do is act as a uniformed patrol officer, reminding DevOps and developers that “Security is A-OK!” then we actually end up deterring the adoption of best practices, and working against the real accomplishments we’ve made in the past five years.
But a person in charge of information security is extremely critical to the efficiency and resilience of an organization.
It’s just that the meaning of “organization” has changed along with the meaning of “data center.”
The IT security products industry, as we have come to know it, has been sustained by the persistent need for vigilance and best practices after software has already been deployed, and after networks have been built. But even networks are software-defined today.
RSA 2016 will tell us whether the industry we had a habit of leaving out of the IT discussion, will end up locking itself out for good.
Title image "Mr. Civil Defense Tells Us About Natural Disasters" from a digital copy of a real 1956 publication, available for download from The Digital Deli Too
Learn how you can join our contributor community.
