Security Through Chaos

  • Comments posted to this topic are about the item Security Through Chaos

  • They were lucky.

    Only means that when the "perfect storm" does occur then no one person is responsible. It is great for the herd like mentality but is short sighted. Company goes under and every one is back on the job market, with everyone saying "but that's okay as It wasn't my fault". I would prefer to work for the company that know that they are doing the right thing rather than luck.

    Anyway, a properly designed network should segregate the concerns. Many companies used to think that the DMZ was a dumping ground for risky servers that had to be accessible by the internet. Now the thinking that each server within the DMZ should not be able to freely communicate to any other server ie each server is firewalled from all other servers. Makes me wonder if the each server is a firewalled (etc) server than get rid of the DMZ altogether.

  • It's not chaos it's diversity. When you look at an abandoned field and its overgrown you might see chaos but there's order there, it's just not centralized. Then look at a well manicured lawn. Which one is going to be easier for a novel fungus or virus to overtake?

  • I'm with the its not chaos its diversity option.

    After all isn't this the model for the Internet?

    I bet the people in the sections love it.

    cloudydatablog.net

  • This isn't really as far-fetched as it sounds. The question is the level of decentralization involved.

    Our unit isn't on the company network, doesn't use company-provided equipment and has its own AD. Within that domain we are very consistent and the buck stops with us.

    We have a good deal of autonomy coupled with a good deal of responsibility. Accessing company resources can get tricky at times, but we usually find a way.

    Large corporations often have many business units, with diverse locations, markets, goals and processes. Architecture that makes sense for one unit may be completely unnecessary or even limiting for another.

    This doesn't even begin to addess the issue of business mergers, etc. You have two companies, each with a well thought-out infrastructure that works and one buys the other. Which one do you migrate to the other - with all the attendant issues and costs - just for the sake of a "consistent" environment or centralized IT support? Sometimes I don't wonder if it wouldn't be better to have distinct well-trained IT support for each unit that is familiar with that unit, it's business needs, etc., and is tasked with keeping things consistent and secure within their area of responsibility.

    I don't know if I'd be comfortable taking that model down to the individual user level, but I do believe that interoperability between diverse architecture and hardware (someone mentioned the Internet) has grown to the point where monolithic, centralized IT services seem to exist more for a combination of "we've always done it this way" and serving the bottom line than anything else.

    ____________
    Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.

  • Great point lshanahan. The flip side of "with great power comes great responsibility" is "with no power comes no responsibility". The right balance depends on the people involved.

  • I like this as a discussion topic. It's making me think. My natural inclination is: centralised and standards but I can see there is a point to decentralisation. It certainly appears that it might have benefits, like reducing the overhead of maintaining the standards and reducing the spread of "infection".

    I think the key thing has to be "individual responsibility". Are the "individuals" mature enough to cope, and who says that they are?

    Tom Gillies LinkedIn Profilewww.DuhallowGreyGeek.com[/url]

  • The board members of our non-profit company would never allow that.

  • Without a firewall, anti-virus software, or enforced security policy; this company can't really say with any degree of confidence what they're infected with or what their employees are doing with their data.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Dalkeith (4/22/2015)


    I'm with the its not chaos its diversity option.

    After all isn't this the model for the Internet?

    I bet the people in the sections love it.

    It's a bit of both. Certainly my friends were biased in that they came from a very centralized environment, but one that had viruses and worms roll through the environment far too easily.

    It's certainly decentralized, but there aren't a number of departments and groups that choose their way; it's really every individual, which is somewhat chaotic. It's like the Internet, but the internet is for individuals, not those that are somewhat coordinated as in an organization.

  • Sounds like a maintenance nighmare. But if each department has solid IT staff to keep up on licensing and updates, then it might work. I work for a local government, so if it was even suggested, it would not be considered.

  • Personally would probably go for a combined approach.

    Central IT for truly universal applications - e-mail / anti-virus

    Then totally decentralise domain specific applications. Minimal central support on these applications full control over their cost and development within section. Importantly would allow decentralized development.

    I would probably have domain specific DBA for each section AND central DBA.

    I would prefer common DB engine - happy to let people go with different front end technologies whatever tool set works best for them.

    When I am king.

    cloudydatablog.net

  • This is not unlike some of the techniques used a few years years back to phyisically segment networks, and not let internal nodes see each other. Another one like this which has fallen out of favor was "protocol switching". Anyone ever remember running ProxyServer? Run IPX on the internal network and TCP on the outside only?

    At the time it was actually a cheap and effective way to keep your internal structures protected, since the management ports from the two protocols were masked from each other Even if a hacker could get to the proxy, it was fairly difficult to push any further, given the protocol incompatibilties. Nowadays - once the hacker gets into your router most of the time they have full knowledge of where everything is and what to go after.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • This seems more like unintended security through obscurity than a formula to follow.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 14 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic. Login to reply