You can’t protect what you don’t know!
As a consultant I have worked with organisations in many different industries. Unfortunately, I have also witnessed how little planning often goes into infrastructure management. Companies start off small and grow their infrastructure without necessarily overhauling the way they manage it. The lack of proper decommissioning is a good example of this uncontrolled growth.
Even worse, organisations build large IT environments without sufficient levels of planning. Things get added and are made to “just” work, architects seem to exist, but often draw pretty pictures rather that develop a plan that reflects what services a business needs.
Why do I care? As a professional focussed on information security, I believe by changing the way IT services are documented and managed, organisations can gain many benefits. Not only could organisations reduce management costs, they could also react faster to the changes in the industry, and potentially reduce their operational security risks. The question is how?
Let’s start with inventory. I have often worked with large organisations that have experienced issues identifying and providing documentation of their IT infrastructure. After digging they usually find some, but the documentation is often outdated or missing critical pieces. In the best cases the documents have good information, but they are cumbersome to read, or it takes too much time to identify anything relevant.
These days it shouldn’t be hard to choose some tools and processes to manage and maintain your documentation in a way that is not only usable, but also searchable and easy to maintain.
To give an example, you might be familiar with Visio when it comes to creating network diagrams or architecture drawings, but have you ever used some of its more sophisticated features? Visio can not only be used to create network diagrams, it’s also possible to directly link configuration information of any network devices in it. And when paired with a document versioning tool this could be easily offer an efficient way of maintaining your infrastructure documentation. My point is not to suggest that Visio is the right tool for you, but rather that with the right tools and processes, IT environments can be maintained more effectively.
There are many benefits to a well-documented and maintained environment, combined with the right tools. IT auditors will be able to identify relevant information quickly, organisations will save costs when reviews are required. External consultants will be able to provide better assessments and make recommendations concerning changes faster.
The change board is also able to analyse the impacts of changes more efficiently. Most importantly, a well-documented environment in an easily searchable (or at least comprehendible) format allows for far better risk assessments.
You can only protect what you know of your weaknesses. To know your organisation’s weaknesses—the weaknesses of your IT infrastructure for example—you need to fully understand what your environment looks like.
How many large organisations do you know that can quickly pull out the right documentation, providing an overview of their network infrastructure and its configuration? I haven’t come across many. If they could provide details of how many systems would be vulnerable to a particular 0-day (for example) an assessment becomes so much easier. With the right documentation security budgets can be more easily directed towards areas of high risk and low investment.
On the flip side, not knowing what an organisation has either requires spending more money on security assessments prior to investing, or focusing security budgets in the wrong area—leading only to marginal improvements in an organisation’s security stance.
I think that if you want to invest in the security of your organisation strategically, start by documenting your IT environments and implement the tools that allow you to easily maintain that documentation. I am not necessarily referring to classical documents like PDFs or Word files either, rather a structure that allows for easy maintenance. This might be a version controlled wiki, a combination of “smart” documents that also contain configurations, or any other combination—it doesn’t really matter. What’s important is to have the right documentation and make it easily maintainable, because you can’t protect what you don’t know.
This article is brought to you by Enex TestLab, content directors for CSO Australia.