Does Infrastructure Really Matter When it Comes to IT Security?

Yes, infrastructure absolutely does matter and has a profound and immediate impact on enterprise security.

Server hardware (and the server operating systems and applications that run on them) form the bedrock upon which the performance, reliability and functionality of the entire infrastructure rests. Just as you wouldn’t want to build a house on quicksand, you don’t want your infrastructure to be shaky or suspect: it will undermine security, network operations, negatively impact revenue, raise the risk of litigation and potentially cause your firm to lose business.

And that’s just the tip of the iceberg. These days, many if not most corporate enterprises have extranets to facilitate commerce and communications amongst their customers, business partners and suppliers. Any weak link in infrastructure security has the potential to become a gaping hole, allowing a security breach to extend beyond the confines of the corporate network and extranet. Security breaches can infect and invade other networks with astounding rapidity.

Increasingly, aging and inadequate infrastructure adversely impacts enterprise security.

ITIC’s 2013 Global Server Hardware and Server OS Reliability survey, which polled over 550 businesses in spring 2013 indicates that a 53% majority of businesses find that security has a moderate, significant or crucial impact on infrastructure and overall network reliability. This compares to 28% of respondents who said security had only minimal impact on infrastructure reliability and seven percent who said it had no impact because they were separate and distinct. Another 12% of those polled said their organizations don’t track the impact of server hardware and server OS security on infrastructure reliability. This is double the six percent of respondents who said they didn’t track server OS security’s impact in ITIC’s 2011 poll and it marks a disturbing trend.

Similarly, 47% of ITIC Reliability survey respondents indicated that when a significant portion of their firms’ main line of business (LOB) server hardware is more than three and a half years old or older and fails to upgrade security, it has an adverse impact on server uptime and reliability. Approximately one-third or 35% of respondents said aging servers 3 ½ years old or more didn’t adversely impact reliability is down significantly from the 56% of participants who responded “No” in last year’s survey.

  • Incompatible patches, drivers and applications: This is another long-standing problem that continues to plague corporations and lower reliability.
  • Human Error: The ITIC 2013 reliability survey marks the first time that respondents had the option of choosing “user error” as negatively impacting security and reliability and it shot to number two on the list, with 28% of respondents acknowledging the impact of IT staff mistakes on downtime.
  • Nearly one-third attributed bugs/flaws in the operating system as negatively impacting downtime, while 24% of participants attributed server instability/problems for causing downtime. And 22% of respondents indicated that security issues and the fact that their IT departments were understaffed and overworked also negatively impacted network reliability.

There is clearly a direct correlation between the 28% of survey respondents who blamed human error for reliability issues and the 22% of participants that specified understaffed, overworked and inadequately IT departments and administrators as undermining infrastructure reliability.

Corporate enterprises must take responsibility to keep their infrastructure up-to-date in order to fortify security. That means regularly replacing, retrofitting and refreshing their server hardware as needed. The server operating systems, applications should be updated regularly with the necessary patches, updates and security fixes as needed to maintain system health.

Enterprises should also review their security policies and procedures every year at minimum. Companies should also install and keep current on the latest security products such as anti-virus, authentication, intrusion detection and audit trail software and security devices. Security training and awareness is a must for IT and security staff and end users. The onus is also on the server hardware and server operating system vendors to provide realistic recommendations for system configurations to achieve optimal performance. Vendors also bear the responsibility to deliver patches, fixes and updates in a timely manner and to inform customers to the best of their ability regarding any known incompatibility issues that may potentially impact performance.

The data and business you save may be your own.

To hear more, join me, Stu Sjowerman, founder of and ESG security analyst Jon Oltsik in an IBM “virtual debate.” We’ll discuss such topics as crypto hardware from an investment point of view and the “secret hardware vs. software sauce” needed to make up the ultimate level of system security for an organization. Read more about the debate on the IBM Smarter Computing blog.