While reading an article from Wired, where they were interviewing Facebook and their development of their new open source switches running on smaller, simpler hardware, I came across a project that I found rather interesting. It’s called the Open Compute Project. Their main mission is to create a forum where innovation and collaboration can occur between different organizations across the world to increase the performance, scalability, and ease of deployment for multiple system types across the IT estate.

Historically, from my perspective as I’ve gone through IT, the method of deployment is too cumbersome. There are too many groups involved that have different request processes and too many dependencies where resources can become tied up in trying to deploy systems and services. On top of that with many of the different platforms out there, many of them require specific training and are cumbersome to configure and understand. Also the adding costs of infrastructure is reducing the ability of IT departments to scale at the rate they need. Seeing the types of equipment that members of the OCP are developing, such as Facebook, Google, and Amazon, is encouraging. They are developing simple platforms that allow for high bandwidth and the ability for tools that currently manage server infrastructure to also manage the networking infrastructure. Many tools are out there to manage large scale deployments of Linux servers as well as automate changes from templates that are created by each respective IT departments. This is definitely something of interest for many companies, as the time to deployment right now is too long and too costly. Granted, with a well managed virtual machine environment and a network that is designed properly from the ground up you can get around the time consumption, but it is all still very costly from a budgeting perspective. If you are more interesting in reading about what they have done, I’ve included links below.

Facebook Now Runs on Networking Gear Designed by Its Own Engineers
Facebook’s New Data Center Is Bad News for Cisco
Going With the Flow: Google’s Secret Switch to the Next Wave of Networking
Open Compute Project

I’ve recently seen that Google has released it’s cloud computing platform in an open-source option called Kubernetes. Also as part of that they are embracing the application packaging technology, Docker. This definitely shows a lot of promise for companies that wish to run their own cloud in their data centers so that they can utilize the processing power available across all of their servers. I’m going to be reading up on this and how you can utilize this with industry audit standards like PCI and HIPAA. I’m also curious how storage access is accomplished with this.

As a member of a global security organization that was global only by name, I’ve seen the extreme downside to having a patchwork and dysfunctional security across all of the IT infrastructure. It takes forever to find problems and breaches, figure out what actually occurred, and then patching the holes and recovering from the issue. I’ve been reading through a few documents recently that cover alot of ideas around IT security historically and where it should be going.

Currently, security is always an after thought. It goes that way with anything in life for most people. They go down the road not planning for an emergency until it’s happened. Now how do you fix it? With the proliferation of cloud technologies such as Dropbox and Evernote (both of which I use personally) and the state of BYOD in the corporate world, there are many holes and opportunities for data loss and reputational damage from breaches. We’ve also got the external threats of phishing, social engineering, hacktivism, and nation-state attacks to worry about and protect ourselves from, yet stay within a sustainable budget so that we can continue being profitable as a company. To do this you have to start from the ground up planning your security. That way you can easily mitigate security risks by properly implementing applications and services within the IT infrastructure. Also, by planning in advance, you can properly design a network and server architecture that utilizes high density and cost effective solutions yet still provide the same level of security. There have been multiple times that I’ve been on a project and due to poor planning we’re being forced to basically setup an entirely new leg of the network populated with servers, SAN, the whole gambit. That creates complexity which increases implementation time, troubleshooting, and training/onboarding of new personnel.

So how should you begin planning your IT security framework? You first need to start with understanding yourself. What is your business about? What compliance and regulation do you need to be thinking of (HIPAA, PCI-DSS etc…)

Once you understand the business, you then need to work on your data classifications. Keeping the number of classifications low will help with the complexity side of things. Three to four is a good number. It could be Public, Internal, Restricted, or maybe Public, Internal, Confidential, Restricted. Whatever you choose and think is best for your organization.

Now that you have a good understanding of your business and data classifications, you now need to work on an understanding of your applications. How do they function with each other and what classification of data do they hold? Getting a firm grip on your applications interactions and functionality will help you in designing a network strategy that will scale well over time as well as include a server and SAN strategy that also scales. It will also help you understand what security gaps there might be that you can use compensating controls and technologies to cover.

Now its down to the designing of your IT infrastructure. Placing external facing applications away from internal facing applications is a great way to help limit unnecessary exposure to external risks. Making sure you are using your firewall and IPS technology effectively in proper network bottle necks will help you keep those costs down as well as simplify the infrastructure. Design your network to be modular. Make it where you can add modules to a central core routing infrastructure so that it scales well. Add strong authentication to all externally facing applications. Make sure that you are doing vulnerability and penetration testing on your environment and utilizing that data to update your IPS policies and patching strategies. Create a simple and efficient SEIM technology so that you can gather logs from critical parts of the infrastructure. Don’t just place SEIM infrastructure everywhere and pull logs into it from everything. You need to make sure that you have SEIM coverage allocated to a specific data classification. That goes for firewalls, IPS, WAF, etc… You need to create a security matrix which gives you the required security controls to consider for each data classification. Not all might be needed but it at least gives you a check list to go through when designing new modules in the network. Also making sure that your endpoint security is simple will help your personnel learn it quicker and actually utilize it, instead of trying to bypass it. My last manager taught me alot about make sure the users have a good experience with the security we put in place. If your own user base is trying to undermine your security posture by bypassing it, then you open yourself for greater risk.

And finally you need to make sure that the process is in place to effectively manage your environment. From HR policies for adding/modifying and removing users, to adding, modifying and decommissioning applications and services in your environment. This allows you to close up infrastructure and save costs and decrease complexity in your infrastructure.

Below is the document I liked the most. HP covered alot of the facets of IT security design and they covered it extremely well and concisely.

Rethinking your enterprise security – Critical priorities to consider – by HP