|
|
Uptime vs Security
Corporate IT's biggest downfall is their focus on uptime above all else. In the IT sector, uptime is god. Customers want guaranteed uptime, managers focus on uptime, everyone views uptime as the key to a well managed system. There is a huge problem with this focus, a system usually must come down to be patched when a vulnerability is discovered. The focus on uptime does not allow that.
You can't make your uptime goals if you have to take the system down to patch a security vulnerability. As a result security must take a back seat to uptime. When a new vulnerability is released, the patch is not likely to hit production systems for months, if not longer. It must be studied. The impact must be evaluated. The patch must endure testing. This all takes time. Meanwhile, the production system is vulnerable to compromise.
Managers gamble. In every IT department I have been in, managers gamble with customer data. They gamble with customer trust. They frequently know that a system is vulnerable, but they gamble that they will not get caught with their pants down and instead of patching, focus on keeping uptime. Every IT department that has a focus on uptime is making this exact gamble. Vulnerabilities are discovered almost daily. This means that a few times every year a system is left running with a blatant vulnerability because uptime must be kept above all else.
The impact of this focus on uptime above security is obvious. Systems are compromised daily. Customer data is spread all over the Internet. Crackers are attempting to blackmail companies on almost a regular basis. Just read the news and it is plain to see. Companies do not care about security, they care about uptime. Oh, they'll make the necessary motions to look like they care about security, but when it comes down to brass tacks, uptime wins.
Why is uptime the king? That's actually kind of obvious. If the system is down you are losing money. This loss is either happening due to lost revenue through purchases that would have happened if the system was up or it is due to customers leaving the service because it was down for a little while. The one thing I promised myself was that if I ever ran an IT business, security would come first, even if it meant losing some money.
Putting security first sometimes means rushing new patches into production, or disabling key services until they can be patched. But it also means not taking the vulnerability gamble, not deliberately risking customer data, even if it causes some downtime. Patches don't always go smoothly, especially in a custom environment. Many patches also require that the service be brought down to be patched. That is the trade-off, uptime for security. Making this trade means losing some business. Is it worth it?
I believe it is. Yes, we lose some money by putting security above uptime. But, I believe they are short term losses. The short term losses due to occasional downtime more than offset the potential losses due to a compromise. A compromise means loss of customer trust. It means a mass exodus of customers. It could mean the death of the business. That is a much larger loss than losing a few orders here and there.
Because of this, I am not willing to make the gamble that every other service makes. When I am in their world, I must bite my tongue and continue to administer a system that I know is vulnerable because I am tied in red tape. But when I am in my world, I get to do it my way. Cotse is my world. I am not willing to gamble customer data just so I don't lose a little money. I will continue to strive for the best uptime, but not if it means deliberately compromising security.
Will it pay off in the long run? Hell, I don't know, the world is still focused on uptime. Also, nothing is 100% secure and a compromise could still happen. But if there is a compromise it certainly won't be because I deliberately gambled away customer trust. What I do know, is that if more managers and customers had this attitude, the Internet as a whole would be far more secure.
/steve
07/23/2002
|
|
|
 |
|
|
|
Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
| |
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
| |
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
| |
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
| |
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!
|
|
Service Details
|
|
|
|
