Trusting in change

Unauthorised and unaudited changes are the most likely factors to compromise the security of a company’s data centre, says Gene Kim, CTO and founder of Tripwire, the vendor of infrastructure change management software.

Originally responsible for an open source software solution for monitoring servers, Kim has grown Tripwire into an enterprise-level auditing and configuration assessment system. He is also co-author of the IT industry bestseller Visible Ops, a study of companies with best-in-class service levels and the source of the eponymous methodology for combining operational functions with security necessities. Visible Ops has sold 75,000 copies.

Security versus operations

“A security person knows an organisation is only one change away from front-page news, regulatory fines and brand damage,” he says. “But an operations person sees the security person as someone guaranteed to spend time creating processes that suck the will to live out of an organisation.”

Operations perceives security as “creating bureaucracy, delaying implementation and generating a backlog of reviews”, while security struggles with operations over “deploying insecure components, poor availability of IT services, using shared accounts to simplify access and failing to address vulnerabilities quickly.”

While appearing to sympathise with operations, Kim doesn’t see security as optional and thinks many businesses are playing a very risky game.

The largest category of findings arising from the US compliance act, SOX404, “are IT-related over finance and tax”.

Finding common ground

While acknowledging that “managing information security is now necessary to advance business goals”, Kim doesn’t side with operations or security. Instead he tries to find common ground.

“It’s not easy integrating security into operations,” he admits. “Operations hinders security; security hinders operations. IT is under pressure to respond more quickly to business needs and to provide stable and predictable IT services.”

Both sides can help the other if they are on the same page, he says.

“Security can help operations to detect operational errors, while operations can help security pick up security errors. High-performers in this area are finding and fixing breaches faster, undergoing fewer emergency IT changes, and completing six to eight times more projects than low-performers.”

With 80% of security issues caused by a change to systems, change management is the key differentiator between the high-performers and the low, he argues. “If you ask anyone in IT operations at the NYSE to make a change, they’ll say they have to get authorisation first. It might involve more bureaucracy, but they know they are only one change away from being a low-performer.”

Low-performers, Kim says, “have a culture of rebooting. If that doesn’t work, they reboot the machine next to it, and if that doesn’t work, they reboot all the servers. Then they blame the firewall guy.”

In contrast, “high-performers fix things the first time, 90% of the time.”

Operational gains

As well as the organisation benefiting, operations can gain from working together with security, he says. “When control over change goes up, the auditor’s perception of the company goes up and IT spends less time prepping for an audit. The operations department is seen as more nimble by business and generates higher user satisfaction.”

Tripwire’s technical director for international business, Gavin Millard, adds that although it is technically possible to restrict IT infrastructure change, it is more beneficial to promote a culture of personal responsibility, rather than restriction.

“When there is a name attached to every change made, people stop taking big risks,” he said. “It brings about a cultural shift.”

Related Topics