From outdated server infrastructure and operating systems to manually maintained network gear and unpatched end-user compute: there are many ways that technology can expose organizations to increased security risks and outages. To avoid these risks, businesses need to fully understand the health of their IT systems and take a proactive approach to managing the IT infrastructure that is running all workloads, not just the critical ones.
There are many resources that can help organizations evaluate their current security posture and move from a reactive position to a proactive position. It is critical that IT organizations become not just the providers of these services, but partners to the businesses implementing them.
Maintaining the compute power
How well do you know the health of your business’s compute power? Are you sure it’s not putting your company at unknown risk?
Whether your compute power is located on-prem, in a co-location, or in the cloud, there are multiple layers of maintenance that need to occur on a regular basis. If not properly maintained, each device and layer of its maintenance is a potential security risk
There are three parts of the compute layer that need to be considered: the firmware of the hardware components, the operating system (OS) itself, and the major software components that control functions within the OS.
1. The firmware layer
Updating firmware helps address critical problems, such as unresponsive servers, which can put your system at risk. Firmware updates also correct product issues such as ROM or processor functionality to improve system performance, and make the system easier to service.
Keeping firmware up to date is critical to maintaining system stability, performance, and security, yet investigating firmware is not part of regular maintenance for many organizations. Some do not check it at all. It is important to update firmware (also called “flashing the ROM”) as part of regular service maintenance, and to check for specific firmware updates between regular updates for optimal performance.
2. The OS layer
The OS layer includes the OS of the virtualization layer and the OS of the physical or virtual server.
All OS vendors provide regular patches or updates from their operating systems. Many organizations rely on third-party solutions to handle these updates, which can sometimes lead to issues if the processes are not fully understood and co-managed. For example, when a new patch is released that supersedes a prior patch, third-party systems may report that the prior patch is “compliant” because it is no longer needed, even though it was never installed. Or there may be prerequisites missing; the system has not installed many of the required patches, but reports that the patching process script is complete even if the patch installation does not.
Business restrictions on system reboots can also cause issues. The patch is completed, but some operating systems will continue using the old code until they are rebooted. These are common scenarios that can increase security risks and jeopardize system stability.
3. The software layer
The third layer is the major software components — drivers or other code that is managed by the OEM or third parties — that control system functions within the OS. Like OS patches, these major software components are critical to maintain performance, stability, and security.
For the most part, these three layers exist in all the hardware components in the datacenter, whether on-prem, co-location, or cloud. (Some hardware does not have reprogrammable firmware or has parts that are not reprogrammable. Some operating systems are controlled by a peripheral supplier and therefore are out of scope from “normal” operations.)
With cloud computing, businesses pay hyper-scalers to manage firmware and physical machine maintenance, as well as their virtualization layers, but the organization is still required to manage the rest.
Do you have a holistic understanding and uniform set of practices across the whole network?
IT networks are the fabric connecting everything in the modern enterprise, so it is critical that they are adequately maintained. Ransomware and other cyber-attacks can proliferate through design or maintenance issues throughout networks. However, keeping networks up to date can be challenging, and even necessary maintenance such as updating operating systems and installing patches can put networks at risk.
Many organizations do not have full redundancy in all their switching layers, leading to single points of failure, meaning one failed device can bring down multiple other devices and applications. Businesses concerned about potential routing issues sometimes avoid rebooting at all costs because there is a risk that a switch may not come back on after it is rebooted, or that it will come back on improperly and require remediation.
Changing consumer and industry demands have exacerbated these issues. Businesses feel pressure to provide services that their IT program does not currently support (or does not adequately support) and go outside of IT to pursue new technologies without a proper implementation strategy. In the rush to embrace cloud computing, for example, some businesses have failed to properly enroll IT in the transition, forcing IT to take a reactive role that can lead to gaps in security and usability.
To keep up with business shifts and the growth of cloud, organizations need to expand their networks while maintaining IT performance and resiliency. Wipro sees a lot of organizations that are working toward software-defined networks (SDN), but these networks are sometimes implemented only in the greenfield spaces rather than holistically across the network. This approach increases complexity, cost, and risk down the line because the SDN is not being integrated with the legacy system. Piecemeal modernizations are fine, but they need to be done strategically, working toward a goal that accounts for the entire network.
Another major risk area is how the legacy networking environment was put together. This is both a business risk and security risk.
Manually coded rules controlling user movement or ports, for example, are not always consistent. Sometimes there is less accessibility management in legacy data centers, or one admin might have started by excluding everything and opening as need while others have started by allowing everything and blocking as issues arise. When security events occur, complex and inconsistent network management increases downtime and vulnerability, leading to more penetration points for cyber-attackers.
Workplace security and mobility
With the push for zero-trust environments, the need to be diligent is increasing as well. What is your current level of risk? Are your most precious assets really protected and are they helping to protect the enterprise?
Whether on site or remote, employees are a risk to the business. It can be easier for organizations to manage how employees access company networks when they are working in the office rather than remotely, but human error and underdeveloped security strategies still pose risks.
To reduce these risks while still enabling flexible ways of working, organizations need to focus on a few areas in particular.
Like server infrastructure, one of the most often overlooked areas of the worker environments is the hardware, including desktops, PCs, and mobile devices. While most companies have processes in place to bring machines up to spec when they are ordered, some assume incorrectly that machines come from the OEM with the latest hardware firmware loaded. All new machines need to be processed, their hardware brought up to current firmware revisions to address any issues with applications, stability, or security vulnerabilities.
After the hardware is fully updated, the operating system, drivers, and agents need to be updated to eliminate any business or security risks. Businesses sometimes think that they are saving money or streamlining processes by skipping this step, but those costs are almost always deferred to the end user. Employees cannot do their jobs effectively if they are fighting with their devices. And if the operating system on those devices is out of date, employees may be putting the company at risk just by doing their job.
Once companies set employees up with the right hardware and OS assets, businesses need to ensure they have the processes in place to maintain those assets. There are many elements to a proper maintenance program, such as scanning and maintaining of all the hardware code from the BIOS to potential firmware of the embedded devices (drives, graphic processing units, network interfaces) as well as all the increasing variation in peripherals. This can be increasingly extensive with additions of things like AR and VR. There is also the software for the OS, drivers and agents that need to be maintained. Finally, it is important to make sure, especially for critical security patching, that reboots occur. End users tend to put off reboots, especially in the engineering and factory worlds, to avoid downtime, but the risk of exposure increases until all necessary reboots are completed.
Getting proactive instead of reactive
It is critical for companies to transition from a reactive IT program to a proactive one — working to understand what their business needs will be in the future and how to apply technology to achieve them while addressing any associated security risks.
What’s preventing your organization’s transition from reactive to proactive? Are you working with a lot of legacy tech debt? Are outages and security incidents taking too much time? Do your teams need upskilling and cross training?
These questions can help you identify priority areas in your business’s digital transformation. Working with an experienced technology partner can help you better understand the transformation your business needs and strategize the best path forward.
To learn more about Wipro’s approach to Accelerating Your Innovation, visit Innovation.
Global CTO and GM,
Wipro iCORE-Cloud Infrastructure Services
Nicholas Holian serves as the Global CTO and GM for Wipro’s iCORE-CIS business unit with a focus on customer growth strategic transformations using new and emerging technologies and methodologies. Nicholas has been helping customers understand how to take advantage of cost savings, automation, cloud and other technologies to accelerate their business transformations to meet their customer demands.