It is almost impossible to pick up a newspaper without finding some report on cyber threats and data breaches. Estimates of skill shortages are published as businesses across the globe race to improve security and reduce risk exposure. IT security has become a considerable part of the budget and is expected to increase. Back-office operations have become far too complicated, too many systems which perform the same function within the business and too many exceptions which make business rules unnecessarily complicated.
Significant security benefits are achievable by delivering a programme of application consolidation and business streamlining. Still, it is necessary to give serious consideration needs to the causes of software proliferation as without eliminating the causes, software systems will continue to multiply undermining all the efforts and benefits. Here are some of the many reasons:
- Lack of a standard set of infrastructure, operating system and database technology – having such a standard serves as a benchmark for evaluating new software systems, by rejecting solutions which don’t fit the target environment.
- Lack of an authorised list of software – without a standard approach, different people, teams or departments will inevitably make decisions on what software they will use.
- Users permitted to download and install the software – even if the individual user doesn’t have permission directly when combined with the lack of a standard, they will be able to ask someone in the IT department to install the software, and the request is unlikely to be rejected. Choice of software could be motivated by personal preference such as a lack of understanding of one product and being an expert in another.
- The IT implications of Mergers and Acquisitions – IT seldom considered before reaching an agreement. Although the nature of the businesses could be identical, the infrastructure, operating systems, databases and software systems could be completely different.
- Purchasing a new system without fully understanding the dependencies and implications can lead to the introduction of new underlying technologies to the business. For example, a company with 1000 windows servers agrees to purchase a new system which requires Linux, which in turn requires new hardware, new software, new skills and cross-system integration. In a short space of time, the IT environment becomes significantly more complicated. The same can apply to other combinations such as if an estate made up of Microsoft SQL Server databases, inherits or purchases a new system which requires Oracle.
It will always be possible for someone to justify an exception to any standards which are defined whether that be for personal preference reasons, experience or lack thereof, or anything relating to costs. The important point which cannot be over-emphasised is that the greater the diversity of hardware and software, the greater the overall running cost, the number of problems experienced will be much higher. IT becomes more complicated and eventually chaotic.
With this increased complexity and chaos, is an increased requirement to improve security. The more systems there are, the greater the security requirement; the more systems need to patching, more systems need auditing, and more vulnerabilities need patching. In other words, the attack surface becomes much more extensive. Essentially the focus here is reducing the attack surface area through streamlining the use of software systems. Henry Ford said that a customer could have a car painted any colour they wanted as long as it was black. Although he said this in jest, and that he manufactured in many different colours, his comments accurately illustrated the point that production is fast and efficient when streamlined with repeatable processes. Here we are talking about streamlining software and its positive impact on security and reduction in exposure to risks.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.