The Risk in our Computing over time..

In the Beginning......

In the 1970s, business computers lived in special buildings purposely built for them, with big power and chillers. The three security features were 1) A secure building (without big "Computer Here" labels); 2) Careful Power access designs (preferably from two subnets); and 3) at least two EDVAC Chiller Airconditioners. Communications were optional IF the system had one of those "new communication things". All security was the responsibility of the Operations Manager and senior operators, consisting of strong staff vetting, simple risk assessment and management, and good technical skills and understanding, starting from the system vendor down.

Risk treatments were MOSTLY based on physical measures, on-call technical staff, onsite spares, two A/C units, locked doors and secure storage.

Terminal/Data Networks Grow...

In the 80s, the network started to grow as terminal-supported "TTY Online Networks and Data Links" started to grow in size and numbers. Users were no longer "beside the computer room", they were remote and their unique UserIDs, Passwords and job logs became important as processing loads and data now came from remote sites, and operators no longer really knew what was running from moment to moment.

This is the time when the AS/NZ 4360 risk standard commenced to be developed. PCs and specialised small computers became common and data transfer outside of dedicated data lines became more frequent. As soon as someone identified how to use FTP from a PC to a mainframe/mini computer, risks as to data loss and corruption became evident, and the specialisation of Computer Security Officer started to be seen.

Complex Multicomputer Networks

The 90s were the decade of multi-connected large computers, ARPANET (the Internet-forerunner), SNA and TCP/IP network protocols becoming multi-featured. Make things worse, computers with very different security and risk profiles were now connected by shared networks. Data, Processing, and Facility Security became much more complex and specialised; and as the decade progressed, evidence of misuse of the shared network resources started to be seen. Most enterprise computing use was now focused on online data access and use, with data centre workloads dedicated to massaging the data outside working hours for the next morning.

Computer Security Teams were now critical for most Enterprises, and specialist security software and devices now common at the data/network centres.

The age of the Internet

From 2000 onwards, we are living in the ages of the Internet and ubiquitous connection to enterprise data systems and functionality. Electronic business transactions are now the norm, paper reverted to backup emergencies (or convenience) only. Hardware and Data Centres are now large-specialist environment again but divorced from the business by Cloud, Virtualisation, and Off-shoring strategies.

Security now contends with multi-layered technology, virtualisation, data transiting the world's networks in an instant. The Computing Security profession has split into multi-skilled areas, from Penetration Specialists, Hackers, Risk Specialists, Architects, Managers, IRAPpers, Accreditation Certifiers, and much more. It has now become as complex as the networks and systems that the teams try to protect. Threats are multiple and evolving rapidly. Because of the low "engagement" costs, Nations now see Cyber-Threats as "most likely and serious" after their concerns about small and violent Terrorist plots.

Where-to beyond 2020?

There is no sign that this rate of "progress" in ICT, Data and Communications capabilities is slowing down. Whereas modern warfare is into incremental improvements (outside of ICT and data) in weapon systems and personnel training; computing has not yet reached that point of stabilisation from reducing technical progress or human ingenuity. Whatever the human brain can envisage, the ICT industry quickly implements or improves.

Computer Security is now a 24hr/7day occupation and worldwide. Systems are firewalled, scanned, logged, sensed, heuristically watched and upgraded as fast as possible. Computer Security teams monitor the blogs and intelligence websites constantly looking for the next disastrous attack scheme to surface.

Computer Security is now established as a real specialist occupation, with young staff selected for their interest in "how the backends work".

Yet, we seem to have forgotten the simpler things, like every-day events around power, staff well-being, technical skills, resource management, fall-backs, strategies, alternative sites, and such. These have rarely gone away, but are often hidden behind 3rd-party contracts, hidden overseas, disguised by virtualisation, lack of visibility (and understanding), poor documentation and training, misunderstood complexities and sometimes just pure incompetence.

Just like ANY Complex Artefact, Structure and Common Understanding is Critical

We have Architects, Engineers, Material Surveyors and specialists for large building projects for a reason. They all contribute their particular expertise, knowledge, and skills to one or more aspects of the complexity that a larger construction represents.

AND the stage of construction defines who is leading, who is engaged, advises, or follows. Most importantly, the Business Brief to the Architect sets the scene as to the eventual utility and features of the building that support and foster the aims of the enterprise commissioning the development.

When dealing with Computer Security it is no different. The Objectives of the Business must be paramount in the mind of the Architect, translated and woven into drawings, language and specifications the other specialists can understand and apply. The Architect consults UP and DOWN the other participants, to get the skeleton of the structure right, balancing both Objectives of the business and evident Risks that will cause damage to the business, its values, and assets.

Without achieving this common balance (objectives, values, assets, and intents), then the System Build or Renovation is at risk of not supporting the business's intent as was originally foreseen. You have to start somewhere, and it's here at the INITIAL ARCHITECTURAL ASSESSMENT which MUST include the Initial Security Assessment as part of the Architectural Concept.