When I was asked to write about IT Infrastructure, I was quite excited. During my career, I have enjoyed learning about all kinds of tools and technologies, seeing the pace of innovation increase dramatically, and generally watching the IT industry change for the better. But when I sat down to write this article, I was drawn to the importance of building foundational elements that will withstand the change of technology, tools, software languages, etc.
"From firewalls, to intrusion detection and prevention solutions, to antivirus/antimalware, to web application firewall, to vulnerability testing, every team needs to spend the time reviewing what makes sense for their respective business"
Reliability, Scalability, and Security
I believe these elements apply, whether you are building Software-as-a-Service solutions, delivering managed services, or helping users with solutions as part of an internal IT department. Let’s take a look at each of these and see how they can help you achieve success.
With the dawning of the “always on” generation, consumers and end-users have come to expect their apps to be available, any time, any place. The question is - Have IT organizations shifted their focus and thought about how to deliver a solution in a reliable manner with the customers’ data available wherever and whenever. For example, in my tenure at my current and previous company, both Software-as-a-Service organizations, we shifted our focus from traditional backups and Disaster Recovery and worked on solutions that were multi-site, multi-region, and always available. This meant understanding where the data resided, and how we could move it closer to the customer while ensuring consistency. Fortunately, with the tools available today, such as virtual machines, snapshots, hybrid cloud solutions, and the decreasing costs for storage, we were able to achieve this to varying degrees. One of the solutions we developed focused on a specific application that could lose tens of thousands of dollars every minute it was unavailable. As a result, the team came up with a hybrid cloud solution that allowed both our private and public cloud deployment to respond to any inbound request helping to eliminate single points of failure. The end result improved the reliability of the solution we were delivering for the business and our customers yet didn’t rely on traditional solutions. The added benefit we gained allowed us to have a robust deployment process that minimized customer impact.
So the product you have been working on for months is finally available and you see customer demand increase 1000 more than your original forecasted. As a result, the app is constantly having problems, performance is poor, and support cannot handle the inbound request fast enough. What do you do? Did you build your solution to scale both horizontally and vertically to meet user/customer demand? Did you factor in application performance when building out the infrastructure? The teams that I have had the opportunity to work with, ask these and similar questions. There are many ways to achieve scalability and how you implement a scalability strategy will be dependent on your specific business needs or application requirements. The solutions I have delivered to ensure scalability focused first on data collection and workload monitoring which ultimately led to implementing load balancers, caching layers, and multiple database instances (master/slave configurations). Additionally, once we had a better understanding and a solution in place, we found ways to automate the scale out of the systems based on the data.
The last of the core principles, but probably the most difficult to handle in today’s technology environment. There are “no one size fits all” solutions out there, so I like to break this up into three sub principles when working with teams; People, Processes, and Tools. By focusing in these areas, we can help reduce the risk to the business.
One of the largest attack surface areas for the “bad guys” to target are employees. Through email, phone, or social interactions, I have seen it happen. During my tenure at my current and previous companies, I was aware of incidents where phishing emails targeted company executives, requesting wire transfers to offshore accounts. Fortunately, the employees who received these sophisticated phishing emails notified the IT department and we were able to prevent the loss of funds. I’m sure many others have seen this type of attack or similar. So, in order to help prevent future financial or other types of loss, we started to communicate preventative measures more regularly with company employees in the form of email notifications while also building awareness training sessions. The plan is by sharing information with employees they will become more knowledgeable and diligent.
After people, ensuring consistent and well-documented Information Security processes is critical to company success. And as most of you know, having the processes documented is mandatory for any sort of certification or reporting requirement. Items such as data classification, user authentication (unique IDs and complex passwords), data retention, system and network configuration, incident response, change control, and logging are all critical. However, one of the items I found to be critical to the organization’s success was regular testing of the incident response process by running through an impromptu security incident with all the necessary teams. This allowed us to see if the process worked as expected and forced us to think about both technical and business requirements.
All kinds of tools exist to prevent or learn if a security incident has occurred. From firewalls, to intrusion detection and prevention solutions, to antivirus/antimalware, to web application firewall, to vulnerability testing, every team needs to spend the time reviewing what makes sense for their respective business. I also consider outside security groups as a tool that can be used to ensure a secure solution. Take the time planning what needs to be protected, and determining the right solution. For example, a few solutions I have implemented are a single sign-on tool to integrate Microsoft’s Active Directory with all cloud solutions to help protect company data and prevent data leakage, multi-factor authentication (EMC’s RSA and Google Authenticator) where applicable to increase the level of security, intrusion detection to monitor the SaaS solution being delivered, and vulnerability scanning to check against the OWASP top ten. Also, when possible, we have brought in independent, security experts to find the holes in our solutions (by the way, which has proved incredibly valuable). While I trusted my teams, getting a third party to validate went a long way to making our customers and company executives more comfortable we had good safeguards in place.
By focusing on these foundational elements of Reliability, Scalability, and Security, I truly believe IT infrastructure teams will achieve great success.