The Datacenter’s Maginot Line

The Maginot Line was a collection of walls, bunkers, tanks and artillery posts  constructed by the French in the 1930’s and 40’s as a line of fortification against Germany and Italy. It prevented direct attacks, but was easily outflanked by the German’s in WWII when they invaded Belgium and then walked into France in less than two days. The Line has become a cliché for failed military planning and execution. The truth is messier. The Maginot Line did cause the German’s to concentrate their forces along the French-Belgium border and it did give the allies time to regroup and defend. Nevertheless, it is considered to be one of the colossal military and strategic blunders of all time. I have been in too many data centers in the last 12 to 18 months that remind me of The Maginot Line. The standard fortifications are all in place – firewalls, anti-virus, effective email management and intrusion detection/intrusion prevention. Those are the Big 4 of corporate security. On a scale of one to ten, one being ineptitude and ten being excellence, I would give most data centers I have been to a seven when it comes to covering the Big 4. There are laggards in intrusion detection and prevention, but for the most part the first line of defense is in place. The problem is that there are figurative Belgium’s in the data center that are less defended or not defended at all. Patching of systems, particularly the desktop, is at a low point by personal observation. The technology is available to patch, but other priorities, particularly the virtualization of the enterprise, have taken priority. If the environment is not patched, there is no protection against zero day vulnerabilities. I am also seeing minimal control of the user’s desktop environment outside of the immediate corporate environment. There are standard builds that are shipped with new systems, but once deployed remote users are often free to add new software. I surveyed the desktops for a 1000 seat government agency. We discovered more than 7000 different software packages installed. Endpoint protection ranks as the biggest vulnerability. Again, controls at the corporate center might be adequate, but away from prying eyes, users are free to plug in a USB device, burn DVD’s to their hearts content and alter corporate documents. It’s time to put aside the easy and take care of the hard. If you don’t have a plan to protect endpoints and prevent data loss, your line of defense is not properly fortified. The Big 4 may help you avoid surprise attacks and raise the alarms, but by that time it could be too late. Develop a plan to protect the endpoints, patch the desktops and prevent critical data from leaving your organization.