Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Rental Cars and Infrastructure Security

by Neil MacDonald  |  November 29, 2010  |  5 Comments

I was out last week on holiday to visit my family for the US Thanksgiving holiday. We flew into the regional airport and rented a car. As we were driving to my parent’s house, I started thinking about the protection capabilities built into the rental car: front and side air bags; automatic seat belts; antilock brakes; traction control; alarm system; keyless door entry and so on. It even had one of the newer keys with the embedded chip.

This doesn’t mean the car manufacturer has to make all of the components. Seriously, much of the automotive manufacturing is done by outside third parties – security and safety related or not.

Best practice would be to separate the security and management control plane from the operational backbone – so something like the airbag and antilock brakes work even if the main CPU is down.

And remember that much of this was the result of regulatory requirements – most car manufacturers didn’t offer seat belts and air bags until they were forced to. That reinforces the role of third-party auditors and regulators to make sure the auto manufacturers are doing the right thing. In our case, this translates to separating the responsibility for setting security policy out of the hands of operations and the impact of the external regulatory environment.

My daughter wanted to sit in the front passenger’s seat, but there was no direct way to disable the air bag (it used a weight sensor to detect if a passenger was seated). In our case, this translates to restricting the ability of administrators to disable security controls.

Infrastructure can’t protect infrastructure? Sure it can and quite well.

Let’s just make sure we continue to follow best practices such as:

  • Separation of security policy formation from operations.
  • Separation of the security and management backplane from the operational network
  • Separation of duties for administrators of the platform and restricting the ability to arbitrarily disable security controls.

5 Comments »

Category: Information Security Virtualization Security     Tags: , , , ,

5 responses so far ↓

  • 1 Andre Gironda   November 29, 2010 at 12:47 pm

    I think it’s increasingly important to separate the concept of infrastructure into infostructure (data and apps) and metastructure (the virtualized and compartmentized compute, storage, and network stacks).

  • 2 Neil MacDonald   November 29, 2010 at 1:57 pm

    Andre,

    In other words, how about “content and containers”?.

    Content being either static or dynamic/executable (aka apps)
    and containers being the things that host the content.

    And our focus information security shifts more to protecting the content and less about the containers.

    After all, protecting information and workloads has been information security’s charter all along.

    Neil

  • 3 Brett Sampras   November 29, 2010 at 7:39 pm

    This is so true. I think you made a good point about separating the operations from security. It makes sense and you gotta wonder why this isn’t stressed much.

  • 4 Lani Refiti   November 30, 2010 at 6:06 am

    Spot on Neil. Having Risk/Security reporting through Operations/Infrastructure could almost be thought of as a “conflict of interest”

    Needless to say I’ve seen @ times Risk/Security procedures bypassed by Operations/Infrastructure because it was seen as an impediment to efficient operations.

  • 5 Neil MacDonald   November 30, 2010 at 9:22 am

    Other analysts on our team have published a lot of research on best practices for organizing the information security organization for clients. Here’s one of them:
    http://www.gartner.com/resId=1289815

    What the research shows is that the more mature information security organizations will break out from IT/network operations and report first to the CIO and after this, typically outside of the CIO to a broader risk management organization.

    Agree completely on the need to separate security from operations.

    In a biological metaphor, I like to think of IT operations as the main circulatory system and brain. Information security is separate to a large extent (the immune system). Even in nature these systems are kept separate for a reason.

    @Lani – in regards to bypassing security controls – one option is to use network-based security controls outside the control of IT operations which fail closed if they are disabled. Another is to limit what administrators can do using System Administrator Privilege Management Tools. Also, full logging and audit of administrative activities also acts as a deterrent to unwanted and uncessary system-level changes.

    Neil