17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

Case Study - An IT Safety Index: Measuring Security Risks Caused by Rapid Capacity Expansion and Loss of Repeatable Builds

Gene Kim

Defenders of IT infrastructure often find themselves with enormous outage costs, so become targets of risk assessment and IT controls that attempt to "fix" security problems. However, they merely address the symptoms, leaving the underlying disease untouched. In many organizations, IT auditors and IT defenders perpetuate "break/fix" cycles, causing the infrastructure to drift further and further from repeatable builds and deployment. The result is decreased IT productivity, potentially larger remediation efforts in the future, while the underlying defensive posture has not been improved.

To motivate a novel approach to this problem, an analysis of the post-mainframe era will be presented, showing how we got to this surprising state of affairs. Case studies will be presented on how many IT organizations are often stuck in break/fix cycles, constantly chasing after the bad guys (what are the newest hacker exploits?), or worse, constantly chasing after the good guys (how can I patch all my production servers with all the new hotfixes?). A simple framework of IT capabilities (using only small numbers and primary colors) developed by Gene Kim and Dr. Gene Spafford will be presented. Case studies are used to display the various attributes of Level 0 to Level 5 organizations. The scale is used to show how capabilities such as repeatable builds and change detection is crucial to maintaining production systems, and how so often, security problems are merely a symptom, not the underlying cause.

Click to view presentation View Presentation