I was out last week on holiday to visit my family for the US Thanksgiving holiday. We flew into the regional airport and rented a car. As we were driving to my parent’s house, I started thinking about the protection capabilities built into the rental car: front and side air bags; automatic seat belts; antilock brakes; traction control; alarm system; keyless door entry and so on. It even had one of the newer keys with the embedded chip.
This doesn’t mean the car manufacturer has to make all of the components. Seriously, much of the automotive manufacturing is done by outside third parties – security and safety related or not.
Best practice would be to separate the security and management control plane from the operational backbone – so something like the airbag and antilock brakes work even if the main CPU is down.
And remember that much of this was the result of regulatory requirements – most car manufacturers didn’t offer seat belts and air bags until they were forced to. That reinforces the role of third-party auditors and regulators to make sure the auto manufacturers are doing the right thing. In our case, this translates to separating the responsibility for setting security policy out of the hands of operations and the impact of the external regulatory environment.
My daughter wanted to sit in the front passenger’s seat, but there was no direct way to disable the air bag (it used a weight sensor to detect if a passenger was seated). In our case, this translates to restricting the ability of administrators to disable security controls.
Infrastructure can’t protect infrastructure? Sure it can and quite well.
Let’s just make sure we continue to follow best practices such as:
- Separation of security policy formation from operations.
- Separation of the security and management backplane from the operational network
- Separation of duties for administrators of the platform and restricting the ability to arbitrarily disable security controls.
Category: information-security virtualization-security
Tags: adaptive-security-infrastucture endpoint-protection-platform information-security next-generation-security-infrastructure virtualization-security
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.