download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Security</strong> was comparatively easy. Hundreds or<br />
thousands of users were physically hard-wired<br />
to the data center (pre-IP of course). Products<br />
like RACF identified users with simple user_IDs<br />
and passwords, and the mainframe<br />
knew w<strong>here</strong> every terminal was located. Users<br />
and groups of users were given access<br />
rights to specific files and directories. All of the<br />
intelligence was at the central processing unit,<br />
located in some distant environmentally<br />
controlled room.<br />
On August 12, 1981 along came the 5150.<br />
You might know it better as the IBM PC. IBMʼs<br />
thinking was that this miniature ʻalmost a<br />
computerʼ was the perfect way to get small<br />
businesses addicted to IBM and would then<br />
grow into their larger offerings.<br />
But business had a different idea. Why<br />
shouldnʼt they be able to run software locally<br />
on the PC and connect to the mainframe?<br />
With programs and data now being processed<br />
and stored locally at the PC, the old security<br />
rules and architecture had changed almost<br />
overnight.<br />
Companies had to develop ways to manage<br />
distributed computers, and push out security<br />
policy and enforcement to the PC.<br />
With the introduction of Local Area <strong>Net</strong>works, vendors introduced<br />
competing and incompatible products, with negligible standards.<br />
With the introduction of Local Area <strong>Net</strong>works,<br />
vendors introduced competing and incompatible<br />
products, with negligible standards. From<br />
a security standpoint, the landscape changed<br />
again. T<strong>here</strong> was no longer any need to run<br />
complex software at the PC. The LAN would<br />
manage it all, and your PC would not be<br />
burdened with the taxing processing.<br />
This fundamental architectural shift in the IT<br />
industry again challenged us “security folks,”<br />
as now we had to consider how to secure the<br />
LAN, the servers and the data that could still<br />
be stored on the PC. We were treading on<br />
entirely new ground.<br />
In the rush to capitalize on Gordon Geckoʼs<br />
“Greed is Good” mantra so loved by the financial<br />
industry, along came client-server architecture.<br />
This architecture expanded on the<br />
LAN model by distributing processes and<br />
storage across a plethora of servers in an effort<br />
to increase power and balance loads. The<br />
business units demanded the function, IT built<br />
a solution, but the security problems were<br />
immense and never adequately solved. A hybrid<br />
of centralized, yet distributed security failure<br />
points, was a catastrophe until a savior<br />
appeared on the scene.<br />
The sudden appearance of the Web triggered<br />
the development of yet another IT architecture.<br />
Every machine could be a client. Every<br />
machine could be a server. Not quite what we<br />
have come to know today as P2P networking,<br />
but certainly an early evolutionary step. Again,<br />
security was, at best, a minor afterthought<br />
since the Web was designed to be platformagnostic.<br />
Herein again, the mistakes of the prior generation<br />
of IT management were repeated with<br />
historical ignorance and arrogance. Letʼs take<br />
this phenomenal connectivity, build piles of<br />
cool applications that can be run on almost<br />
any computer from almost any computer, and<br />
return the power to the user.<br />
Business was driving IT to build out function,<br />
secure web programming was a distant formalization,<br />
and the consumer demand was<br />
and is still, insatiable. W<strong>here</strong> does security fit<br />
into this model? Viruses, worms, and an endless<br />
supply of threats created a multi-billion<br />
dollar industry that is akin to the carnival game<br />
of Whack-a-Mole.<br />
Fast forward to today: Given the consumerization<br />
of the Internet, security is again treading<br />
in untested waters. Servers need to be secured,<br />
but unless the virtual drawbridges are<br />
in the ʻdownʼ position, commerce is shut off.<br />
An architectural dilemma to be sure, compounded<br />
by the fact that this security model<br />
assumes that the individual user knows how,<br />
and will actively participate in the security<br />
process.<br />
www.insecuremag.com 40