What Comes Next

Each generational transition in IT, such as from mainframe to client server or from client server to web applications, has presented challenges to enterprise security. The pattern is clear, and will likely sound familiar to anyone working in IT through these last two major shifts:

1. The emerging technology is initially ignored as a lab project or toy.
2. As the technology is first applied to solve business problems, organizations often attempt to restrict or ban any meaningful use.
3. When the production status of systems or apps built on the new tech can no longer be ignored, security is typically enforced through controls on the legacy infrastructure, which are the systems of record for existing enterprise data used by the new apps.
4. Eventually the emerging technology matures, and adoption increases, to the point that its security role and context is understood and verified to the same level as legacy systems.

This pattern results in a series of enterprise security risks, and perhaps more unfortunately, a series of missed opportunities to improve protection and decrease cost with each generation of technical change in IT. I would love to see IT security getting involved with emerging technologies at stage 1 in the pattern above, thinking about how the new tech can be used in ways that improve security rather than threaten it. Attempts at banning emerging technology in stage 2 usually push the use under the radar, so that departmental systems exist outside of normal production boundaries, increasing the risks over sanctioned use. The first attempts at security controls in stage 3 discount the value of data that lives in the new systems, and leads developers of the new applications to create their own security models from scratch, or largely ignore security under the assumption that it is a legacy system problem. Finally, at stage 4, a massive task has built up. As formal security models are applied to the new systems and applications, large, costly changes have to be made that would have been almost free if thought about earlier.

There is a generational change happening today in the enterprise, and I think it is not too late to change the pattern. The technologies that are driving down the cost of starting Internet companies are having an impact in the enterprise as well: open source software such as Linux and MySQL, newer languages such as Python, Ruby, Erlang and PHP, frameworks such as Ruby on Rails, and other technologies like virtualization and outsourced web service infrastructure (EC2, S3, etc) are all enabling rapid, inexpensive development of production-capable apps by very small teams.

This generation of emerging technologies brings with it some wise principles: a core focus on testing, continuous integration, convention over configuration, and loose coupling via well-defined interfaces (among others). I think the opportunity presented here is a great one. If people who care about enterprise security get involved with these technologies and the communities behind them now, then security can be built into these frameworks in a way that makes it tough to build new applications that don’t do security well.

Using Ruby on Rails as as a simple example, if good security becomes the convention, it is built into every application and tested for at every stage. Simple investments in gem-based integration of enterprise security infrastructure such as single sign-on and role-based access control systems can create an environment where developers build and verify security by default. The enterprise can do this internally, and can also encourage or require outside vendors of security components to support emerging technologies much earlier than they do today.

This kind of investment is a big shift for most enterprise security organizations. It will require spending, managing and perhaps hiring a bit differently, but I believe the result is better security at a lower cost to both the security organization directly and to the enterprise in general.