Threats may come from inside or outside, even from devices that have no direct connection.
Large companies have been utilizing private clouds for the past half-decade as a way to safeguard their data and still take advantage of outsourcing economics. Using that approach, the data center has become an in-house service provider with its own P&L, which is why there has been such a push to improve efficiency well beyond the server consolidation that was made possible with virtualization. It’s no surprise that operating expenses for powering and cooling technology costs big bucks, and boosting the utilization as well as the uptime of servers has made the careers of some CIOs.
Two things have been worrying CIOs lately, though, both of which are related to security. The first involves the proliferation of a wide variety of mobile devices from multiple manufacturers. These are no longer just variations of name-brand smart phones. They include everything from smart watches to white-box tablets.
Some companies have implemented rings of firewalls, starting within those devices to keep corporate data separate from unsecured personal data, with different firewalls on networks, inside of servers. The strategy for highly sensitive data has been to “air gap” servers, essentially creating a series of Venn diagrams where none of the circles touch. That kind of isolation, at least in theory, should prevent any data leakage. But with wireless access throughout buildings, and a variety of devices now permitted inside those companies, leakage is almost impossible to control even if outright breaches are made more difficult. Nothing is impossible to penetrate in electronics—not even a hardened chip with anti-tamper technology that self-destructs when the outer case is ground off—but it can be made difficult enough that rewards don’t justify the time it takes to crack those systems.
Still, CIOs are still expecting disaster at any moment. The bring-your-own-device movement has added a whole new threat level for the corporate enterprise that never existed before. While firewalls may remain intact to outside threats, they do nothing to block threats from inside those firewalls. Moreover, most companies need to have at least some of their systems connected to the outside world, which is where the second big worry begins. The Internet is like an enormous spider web. There are so many connections that no one can ever possibly keep track of them, and therein lies the problem. Imagine connecting a bank server to a user’s smart device for online banking, which in turn is connected to a home network, wearable electronics that employ the least-expensive hardware available, or a home security system that was bought off the Internet.
The highly public breaches at banks, retail chains and government offices are just the beginning of a brand new crime wave that will engulf every facet of the connected electronic infrastructure. Most security experts believe there are sleeper circuits everywhere, already in place, to take advantage of these openings for a variety of nefarious purposes. Others aren’t so sure, saying that eventually everything will be replaced anyway and that plugging security holes going forward will probably solve most problems over several years. Time will tell who’s right.
Nonetheless, the push toward private clouds, more sophisticated firewalls, better data access policies and better-architected electronics haven’t done much to deter hackers. And being promoted to CIO these days is no longer a guarantee that you will have a job in two years—or maybe in six months—even if you do everything right. And there are no guarantees that if consumers buy state-of-the-art technology for their homes, their cars or their offices, they won’t become the gateway to a disastrous breach somewhere far away across some remotely connected network.
There are plenty of people at work on this problem, in private industry and in government. Many vendors now offer more secure everything, from IP blocks to complex server technology to better supply chain management. The problem is that with everything connected, no one solution fixes everything—particularly in the data center. And as complexity converges with the rollout of the IoE, the general consensus is that never before have things been so secure and non-secure at the same time. That’s not exactly a comforting conclusion.