It is almost impossible to pick up a newspaper without finding some report of cyber threats and data breaches. Estimates of skill shortages are published as businesses across the globe race to improve security and reduce exposure to risk. IT security has become a huge part of the budget and is expected to increase. Much of this cost can be attributed to one single underlying problem: back office operations have become far too complicated, too many systems which perform the same function within the business, and too many exceptions which make business rules unnecessarily complicated.
Significant security benefits can be realised by delivering a programme of application consolidation and business streamlining, but firstly serious consideration needs to be given to the causes of software proliferation as without eliminating the causes, efforts and benefits will quickly be undermined. Here are some of the many causes:
- The lack of a defined standard set of infrastructure, operating system and database technology. With this in place it could be used as a benchmark for evaluating new software systems. Solutions can be rejected quickly which don’t fit the target environment.
- The lack of an agreed white list of software which staff are allowed to use. Without a standard approach different people, teams or departments will inevitably make different decisions on what software they will use.
- Users having permission to download and install software is an obvious cause. Even if the individual user doesn’t have permission directly, when combined with the lack of a standard, they will be able to ask someone in the IT department to install the software and the request is unlikely to be rejected. Choice of software could be motivated by personal preference such as a lack of understanding of one product and being an expert in another.
- The IT implications of Mergers and Acquisitions are seldom considered prior to an agreement being reached and although the nature of the businesses could be identical, the infrastructure, operating systems, databases and software systems could be completely different.
- Purchasing a new system without fully understanding, the dependencies and implications can lead to new technologies being introduced to the business. For example, a company with 1000 windows servers agrees to purchase a new system which requires Linux, which in turn requires new hardware, new software, new skills and cross system integration. In a short space of time the IT environment becomes significantly more complicated. The same can apply to other combinations such as if an estate made up of Microsoft SQL Server databases, inherits or purchases a new system which requires Oracle.
It will always be possible for someone to justify an exception to any standards which are defined whether that be for personal preference reasons, experience or lack thereof, or anything relating to costs. The important point which cannot be over-emphasised is that the greater the diversity of hardware and software within an organisation, the greater the overall running cost will be, the number of problems experienced will be much higher, and generally IT becomes more complicated and eventually chaotic.
With this increased complexity and chaos, is an increased requirement to improve security. The more systems there are, the more security needs to be managed; the more systems need to be patched, more systems need to be audited, more systems can be vulnerable. In other words, the attack surface becomes much larger. Essentially the focus here is reducing the attack surface area through streamlining the use of software systems.
Henry Ford said that a customer could have a car painted any colour they wanted as long as it was black. Although this was said in jest, and that cars were manufactured in many different colours, his comments accurately illustrated the point that production is fast and efficient when streamlined and the same process can be followed repeatedly. Here we are talking about streamlining software and its positive impact on security and reduction in exposure to risks.
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.