I was out last week on holiday to visit my family for the US Thanksgiving holiday. We flew into the regional airport and rented a car. As we were driving to my parent’s house, I started thinking about the protection capabilities built into the rental car: front and side air bags; automatic seat belts; antilock brakes; traction control; alarm system; keyless door entry and so on. It even had one of the newer keys with the embedded chip.
This doesn’t mean the car manufacturer has to make all of the components. Seriously, much of the automotive manufacturing is done by outside third parties – security and safety related or not.
Best practice would be to separate the security and management control plane from the operational backbone – so something like the airbag and antilock brakes work even if the main CPU is down.
And remember that much of this was the result of regulatory requirements – most car manufacturers didn’t offer seat belts and air bags until they were forced to. That reinforces the role of third-party auditors and regulators to make sure the auto manufacturers are doing the right thing. In our case, this translates to separating the responsibility for setting security policy out of the hands of operations and the impact of the external regulatory environment.
My daughter wanted to sit in the front passenger’s seat, but there was no direct way to disable the air bag (it used a weight sensor to detect if a passenger was seated). In our case, this translates to restricting the ability of administrators to disable security controls.
Infrastructure can’t protect infrastructure? Sure it can and quite well.
Let’s just make sure we continue to follow best practices such as:
- Separation of security policy formation from operations.
- Separation of the security and management backplane from the operational network
- Separation of duties for administrators of the platform and restricting the ability to arbitrarily disable security controls.
Category: Information Security Virtualization Security Tags: Adaptive Security Infrastucture, Endpoint Protection Platform, Information Security, Next-generation Security Infrastructure, Virtualization Security