יום שלישי, 29 במרץ 2011

The changing landscape of Information technology drives changes in information technology security

I thought this subject to be interesting enough for the global IT & security community so I decided to write it in English instead Hebrew. The article will follow the evolving history of IT & IT security from the start point of IT security somewhere during the 60's of the 20th century till today, the beginning of the 2nd decade of the 21st century, about 50 years altogether. I'll not hide the reasons behind writing this blog entry, It's a combinations of my personal knowledge & thoughts about what happened during the past 50 years in IT & IT security and what lies ahead in the coming years. I was also inspired by an interesting white paper called: "Rethinking Information Security to Improve Business Agility", By Intel IT. Published January 2011:


So Its going to be a combination of history and some prophecy.


1. 20th century: 60's – 70's – Computers were found almost only at companies. Computers were BIG machines located at specially designed Computer Centers that needed careful design, special cooling systems etc. Users used a terminal but had no independent computing power of their own.

Security: Information security was mainly the business of those handling those big machines coupled with a never ending problem - the human factor. The known answer was (and still is): user awareness.

2. During the 70's started to appear on the market early "Personal Computers" like: commodore 64, Atari machines, Sinclair computers (I had one) and others. Those were computers with limited capabilities, but they started a revolution. No more computers at companies only. These were the first wave of computers owned by people. NO connection of these early computers to the company computers.

Security: Security? Nothing changed as a result of these newcomers.

3. 12 August 1981 – IBM PCG the first PC (Personal Computer) from IBM is announced and arrives at the market. It costs between 1,500 $ (the basic configuration) up to 6,000$ for a fully loaded version with color graphics. A lot of other companies rise, fall or merge to create today a huge industry of Personal Computers. The beginning was modest. A clumsy machine for personal use. NO connection to corporate computers. What changed the way the organizations looked at the PC was one application: THE SPREADSHEET. Then it was called Lotus 1-2-3. It was a huge success. Now we all use Excel for personal and organizational usage.

Security: At this point, information security was not a word mentioned together with personal computing. The challenge was to make it something worthwhile for business. This will take sometime.

4. The 80's saw the emergence of Networks based on PCs instead of Main computers and terminals. In this new era, the "main computer" is called "A server" and the workstations are called "Clients". The important point is that the end user has a computer on his desk, not just a "dumb terminal". It started as a Local Area Network (LAN) and his parallel Wide Area Network (WAN). During this decade emerged the connection of computers by telephone lines using modems. Across the world and in Israel BBSes started to emerge. A BBS (Bulletin Board System) used to be like a "mini Internet". It's a computer managed by somebody (organization or private). He keeps the information and manages connections of others to this information & enables the communication among the subscribers to his service. BBSes used to provide much of what Internet provides today.

Security: As those PCs started to become part of the "organizational computing infrastructure", the problem of securing them arose and from that time on the words "PC, server, workstation or endpoint" and "security" or "Insecurity" (depending who is the speaker and when) are inseparable.

5. In the 90's a lot starts to change:

5.1. Slowly but steadily, Internet emerged as a powerful tool for the working environment and for personal use.

5.2. PC industry develops a new "branch", the laptops, a portable personal computer. A PC that can be taken by the end users in a bag, weights a few kilos and holds anything as if it was the PC in the office.

5.3. The connection possibility using the telephone lines from any point to any point made it possible to connect people (generally system administrators and technical staff) from home to the main company computers to assist in problem determination and solving after "normal" working hours. At that time, this was the main reason to allow remote access to the main "crown jewel of the IT at the company", the main computers. We all remember the famous software PC Anywhere used for this purpose.

5.4. Then came the Y2K crisis and almost everybody replaced the old Technology and bought new hardware and software to avoid this coming crisis. Now at the beginning of the new century, the 21st century, the companies had a lot of modern IT. This was a good reason to explore new directions with this new & advanced technology.

Security: Information Security in general is following the changes in the use of IT described above, but always lagging behind new technological innovations of IT and the ways they are being used.


6. The 21st century:

6.1. Emergence of more remote access to the organizational computers connectivity. Organizations allow remote access not solely for problem solving, but many if not all business activities have the ability to be carried out by the relevant employees from outside the organization via remote access, by using secured channels over the unsecured Internet.

6.2. Emergence of customers accessing the organizational computers as part of the service to customers, replacing many of the traditional physical engagements between the customer and the service giver.


6.3. As we turn the page and enter the 2nd decade of the 21st century starts a new revolution. Instead of two separate devices, a computer and a mobile phone, one device being both: a computer and a cellular phone. This is the SMARTPHONE.


Security: We are at the beginning phase of a revolution in security architecture. Till now we are accustomed to use a static architecture. We implement a lot of security features. On the servers, throughout the entire enterprise network, end point security on every end point workstation inside the enterprise, the perimeter of the enterprise is filled with a lot of security features comprising H/W & S/W, security on laptops, encrypted DOK and monitoring capabilities with siem/soc functionality etc. What is emerging is the need to adjust to a dynamic situation instead of a static one. We start to use sometimes our own mobiles, from different places (home, internet café's, planes, different countries etc.), asking for various kinds of using rights from the enterprise where we work or other organizations where we are registered as clients or support team or whatever it be. This new security architecture should be able to identify the risk that a connecting device poses to the device it wishes to connect to, or the risk posed by the services the connecting device asks for throughout the IT infrastructure. I'll not go further into details of this architecture but I believe this is the revolution IT security will undergo in the coming years.


אין תגובות:

הוסף רשומת תגובה