Gartner Blog Network

Rental Cars and Infrastructure Security

by Neil MacDonald  |  November 29, 2010  |  5 Comments

I was out last week on holiday to visit my family for the US Thanksgiving holiday. We flew into the regional airport and rented a car. As we were driving to my parent’s house, I started thinking about the protection capabilities built into the rental car: front and side air bags; automatic seat belts; antilock brakes; traction control; alarm system; keyless door entry and so on. It even had one of the newer keys with the embedded chip.

This doesn’t mean the car manufacturer has to make all of the components. Seriously, much of the automotive manufacturing is done by outside third parties – security and safety related or not.

Best practice would be to separate the security and management control plane from the operational backbone – so something like the airbag and antilock brakes work even if the main CPU is down.

And remember that much of this was the result of regulatory requirements – most car manufacturers didn’t offer seat belts and air bags until they were forced to. That reinforces the role of third-party auditors and regulators to make sure the auto manufacturers are doing the right thing. In our case, this translates to separating the responsibility for setting security policy out of the hands of operations and the impact of the external regulatory environment.

My daughter wanted to sit in the front passenger’s seat, but there was no direct way to disable the air bag (it used a weight sensor to detect if a passenger was seated). In our case, this translates to restricting the ability of administrators to disable security controls.

Infrastructure can’t protect infrastructure? Sure it can and quite well.

Let’s just make sure we continue to follow best practices such as:

  • Separation of security policy formation from operations.
  • Separation of the security and management backplane from the operational network
  • Separation of duties for administrators of the platform and restricting the ability to arbitrarily disable security controls.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: security-of-applications-and-data  virtualization-security  

Tags: adaptive-security-infrastucture  endpoint-protection-platform  information-security  next-generation-security-infrastructure  virtualization-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Rental Cars and Infrastructure Security

  1. Andre Gironda says:

    I think it’s increasingly important to separate the concept of infrastructure into infostructure (data and apps) and metastructure (the virtualized and compartmentized compute, storage, and network stacks).

  2. Neil MacDonald says:


    In other words, how about “content and containers”?.

    Content being either static or dynamic/executable (aka apps)
    and containers being the things that host the content.

    And our focus information security shifts more to protecting the content and less about the containers.

    After all, protecting information and workloads has been information security’s charter all along.


  3. This is so true. I think you made a good point about separating the operations from security. It makes sense and you gotta wonder why this isn’t stressed much.

  4. Lani Refiti says:

    Spot on Neil. Having Risk/Security reporting through Operations/Infrastructure could almost be thought of as a “conflict of interest”

    Needless to say I’ve seen @ times Risk/Security procedures bypassed by Operations/Infrastructure because it was seen as an impediment to efficient operations.

  5. Neil MacDonald says:

    Other analysts on our team have published a lot of research on best practices for organizing the information security organization for clients. Here’s one of them:

    What the research shows is that the more mature information security organizations will break out from IT/network operations and report first to the CIO and after this, typically outside of the CIO to a broader risk management organization.

    Agree completely on the need to separate security from operations.

    In a biological metaphor, I like to think of IT operations as the main circulatory system and brain. Information security is separate to a large extent (the immune system). Even in nature these systems are kept separate for a reason.

    @Lani – in regards to bypassing security controls – one option is to use network-based security controls outside the control of IT operations which fail closed if they are disabled. Another is to limit what administrators can do using System Administrator Privilege Management Tools. Also, full logging and audit of administrative activities also acts as a deterrent to unwanted and uncessary system-level changes.


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.