If we look at Information Technology generations, I would say we are presently in Information Technology 4.0 and moving to 5.0. What do I mean?
Information Technology 1.0
This was the era of the floppy drives where systems were developed and people were amazed they worked! They were deployed close to the people using the system because there was either no network or networking was too slow to even support inter-office usage.
This was when IT was new-ish and just starting to be leveraged; decentralisation was common in both the hardware, software and skills.
Information Technology 2.0
At some point, we realised that having 20 servers spread around a city and more around the world was extremely hard to manage. Networking (MAN, the metropolitan area network) was increasing in bandwidth and decreasing in cost.
What happened then was that efforts were made to centralise servers from closets everywhere to a server room. Lots of physical boxes, each dedicated to a particular task. Each box, of course, with it‘s own 12 week lead time for delivery and each with redundancy in the hardware to try to maximise availability.
The decentralisation also happened with software, with more focus on standard builds and automation. Heck, it was sometime in this period that Patch Tuesday must have become a thing!!
Sidenote: in the move from IT 1.0 to 2.0, I was very happy to bring automation and standards into platforms as I had a colleague who could build two servers in one day that should have been identical but never were….
Information Technology 3.0
The dawn of shared resources. Blades and clusters of hardware supported the sharing of hardware and the virtual era was born! If you did things right, you had hardware available reasonably quickly (certainly mostly less than 12 weeks) and more automation and standardisation became the norm. We are still in this era now, for those who did not hit The Cloud yet.
Information Technology 4.0
This is today and tomorrow. It‘s no longer our hardware nor our care about servers and hosts. We click some buttons, fill out some details and 5 minutes later, there is a server running somewhere, somehow, for us. Someone else is running it, polishing it, replacing hardware that fails – and we don‘t know and don‘t care about it.
So what are the risks?
There are plenty of risks here. Security may well be managed and risks reduced but we have to be sure. Consider the following:
- Information Technology 1.0 still exists in places. You should worry because that generation of IT expertise is getting ready to retire…! But you cannot (or should not) lift-and-shift the technology because it might not work and you don‘t have the skills to move it. You should worry and give this attention.
- During these generations, patching has been introduced for many platforms and solutions – but people are the weakest link. As the technology gets older, the skills erode from the company (leavers, retirement) and the new IT experts are too worried about breaking Availability that they avoid patching.
- Virtualisation brought about a boom in server volumes. When you have tens of thousands of servers, patching them becomes a risk. Due to the natural lag of some technology, erosion of that technology makes maintenance and patching harder – and the sponsor/business owner of the application does not want to invest in maintaining or improving the system (after all, it has worked for years). They instead divert budget into Digital Transformation (because it‘s cool).
- Lift-and-shift. It is the enemy. It brings fear because it rarely will work, especially the more time passes. The conundrum – to lift-and-shift, leave as-is or try to get funding to do it properly. You can guess what happens…..
I always tell my management that we do new things really well and our oldest assets are probably our biggest worry. If we can patch, if there is hardware to bring a system back to life if it fails, if the documentation is accurate and can be used today, if our source for rebuilding works and our licencing information is accepted.
The list goes on and security professionals need to be on top of this and to push their senior management on the topic.
An example I can bring without being too specific; where I work, there is a solution clearly designed in its 1.0 version in 1990 (because it‘s called Something90 in our inventory). Its first iteration, back in 1990, was to have an input device attached to a serial port and an output device (printer) to the parallel port. I‘m guessing but most likely right….
It exists today with an input device and an output device (printer) attached via USB. Modernisation in a reasonable way…..except the design for how the USB device policies have been applied are set to allow more than just those specific devices. Our organisation is strict, very strict, on who can connect and use a USB device (especially storage) but these devices sit in a blind spot.
It‘s the CISO‘s role to somehow find these blind spots, challenge them and get the risk reduced to a specific device type being permitted. The solution clearly went though a lift-and-shift modernisation when serial and parallel ports went away and then had a retrospective USB device control policy applied to them – which of course was designed to just allow them to work.
Less-is-more (security) is definitely a posture we will have to get this setup to – and quickly.
So, the moral of the story is remember Information Technology 1.0 and avoid lift-and-shift. But do assume it happened and try to find it and asset what the risk is today and tomorrow – because getting rid of these things will not happen quickly!