Can We All Just Get Along? Why Platform Diversity is Becoming a Bigger Issue for Enterprise IT Security
When Rodney King pleaded, “Can we all just get along?” following the Los Angeles area riots in the spring of 1992, he had no idea the impact his words would have. Replayed countless times again on TV and reprinted in newspaper articles, these words became an iconic call for harmony— harmony in the face of the tension that can grow when groups with diverse backgrounds, challenges, and goals must learn to communicate, collaborate, and live together.
Why did King’s words resonate so profoundly? Undoubtedly, it was because they perfectly captured the feelings of many Americans at the time. But perhaps it also was because they represented the larger struggle we all face in coexisting with others—a struggle that can exist across a spectrum of backgrounds, geographies, and circumstances.
The enterprise IT security environment is becoming an increasingly diverse “society” of sorts, and is struggling to ensure harmony among its key players. Today, there’s a diverse mix of enterprise computing platforms—primarily Windows, Unix/Linux and mainframes— that increasingly must interact with one another. Each has its own unique advantages and challenges, and from a security perspective, each approaches the issue much differently.
The problem is that while these platforms tend to operate securely alone or networked with like platforms, they’re much more vulnerable when communicating with other platforms. And, to make matters worse, IT personnel trained on one platform often tend to look with disdain on other platforms. As a result, they avoid developing the inter-disciplinary skills necessary for effectively implementing security in mixed-platform environments.
Clearly, the stakes are quite different between the enterprise IT security environment and the circumstances surrounding the Los Angeles riots. But, taking Rodney King’s words as a cue, the IT security industry may learn a thing or two about effectively dealing with diversity.
The mainframe has long been the keeper of the most sensitive corporate data assets, and has traditionally enjoyed the strongest security. It’s no surprise, then, why mainframe engineers are quick to look down on other platforms.
The cornerstone of the mainframe security approach is a stringent control over user access. Quite simply, only authorized personnel with the proper passwords can access data stored on the mainframe. Historically, this was an easy security approach to maintain, as mainframe systems were usually hardwired to dedicated terminals where access could be strictly controlled.
However, the modern world of computing has changed all this. The expanding access provided by the proliferation of user computing platforms, as well as the increase in interconnected applications— both from within the organization and among business partners—has, in effect, exponentially increased the potential for mainframe security breaches.
There’s another danger. Mainframes also have relied heavily on front-end servers to provide data to users and other applications. These front-end systems can be potentially compromised by Trojan horses, sniffing and other means, thereby enabling malicious users to use these front-end systems as a launch pad for back-end attacks. Also, communications between the mainframe and users are often in the clear, using TN3270 and File Transfer Protocol (FTP), opening another avenue for data compromise.