The traditional IT model has been often maligned for its lack of flexibility in dealing with the myriad of changes required for enterprise workflow, office applications, and corporate databases. By offering IT Infrastructure as a utility service at layers 4 and below, the advantages of metered, on-demand usage can be combined with flexible interfaces to application level IT. The implications on enterprise infrastructure security are also meaningful as network level protections can be embedded into a utility model, with alerts and alarms exported from a well-defined utility interface. As part of my research for the recently released 2017 TAG Cyber Security Annual (https://www.tag-cyber.com/), I had the opportunity to spend a couple of afternoons at the Morristown, NJ offices of Alliant Technologies chatting with their energetic CEO, Bruce Flitcroft, about these ideas.
EA: Let’s start with a broad question. What is an IT Infrastructure Utility?
BF: An IT Infrastructure Utility delivers information technology and networking capabilities to an enterprise in a way that is similar to how power companies provide electricity. Modern enterprise IT, network, and security teams tend to waste a high percentage of their budget just trying to keep the lights on in their infrastructure. This detracts from their ability to focus on delivering flexible, high-value capabilities to their users. At Alliant Technologies, we’ve partnered with global service providers like AT&T Partner Exchange and world-class technology providers such as Cisco to create an IT Infrastructure Utility that has many advantages. For information technology and network teams, it simplifies management and reduces cost. For enterprise security teams, it ensures that infrastructure security processes like patching, vulnerability management, and security operations center (SOC)-based oversight are done in a timely and accurate way.
EA: Does an IT Infrastructure Utility operate across the entire range of network and IT services?
BF: It certainly supports all layers, but we’ve found that the best approach is to focus the IT Infrastructure Utility on network layers 4 and below – as defined in the OSI stack. This allows the enterprise to focus on layers 5 and up, which includes the application layers that are seeing so much more SaaS-based deployment these days. For security teams, this approach creates a flexible, virtualized perimeter of the enterprise’s private domain, thereby extending the enterprise’s private infrastructure to absorb off-premises locations, including cloud services, and also providing for comprehensive security management and compliance. Furthermore, the IT Infrastructure Utility collects all the foundational operating data, including syslog and NetFlow, and makes this data available to higher level enterprise tools such as the SIEM, in the form of log file access or alarm tickets.
EA: Can you say more about the impact of an IT Infrastructure Utility model on security? Are the interface seams between utility services and the upper level applications possible points of attack?
BF: An IT Infrastructure Utility model provides a firm foundation on which security can be built and managed.This is accomplished through the use of standard reference architectures, which reduce the number of vendors and configuration variables that need to be pre-validated, thus decreasing the number of possible attack vectors. In addition, the network infrastructure itself is becoming a security sensor, and it needs to be maintained to perform that function. Security is integrated into the reference architecture in a way that allows enterprises to select how they want to enact and enforce security policy without dictating a particular method.Furthermore, the IT Infrastructure Utility is proactively managed, which ensures that the infrastructure stays up to date with vendor security alerts.
EA: Would the IT Infrastructure Utility service provider become part of the enterprise incident response team for issues that occur at layer 4 and below, such as DDOS attacks?
BF: Yes, the IT Infrastructure Utility plays a vital role in incident response, especially where security remediation and recovery require action at layers 4 and below. During an incident, the utility provider makes reactive changes to device configurations based upon enterprise-provided mitigation strategies specifically related to the deployed security configurations. And the proactive configuration management in an IT Infrastructure Utility also reduces the attack surface by eliminating security issues as they are discovered by manufacturers and ensuring that software and configurations up to date.Additionally, IT Infrastructure Utility provides valuable operational and performance data to the enterprise SOC in support of threat analysis.
EA: How does an IT Infrastructure Utility accommodate the one-off needs of an enterprise buyer? This is a big issue for security teams.
BF: Our primary approach taken at Alliant is to accommodate the one-off needs of the enterprise through flexibility in the architecture and support for as-needed changes via proactive management. This is not the same as letting the buyer dictate the equipment delivered in the utility service, but it does allow for a complete set of features – and this includes enterprise security features – to be enabled in the infrastructure. A good example is that an IT Infrastructure Utility can accommodate real-time changes in the face of an active attack. This can be viewed as one-off support, but we see it as a normal component of a live response.
EA: Any final thoughts on the IT Infrastructure Utility services for enterprise security teams?
BF: Our mission is to bring the utility model to private, on-premises network infrastructures, and this has good implication for security teams. Take risk management, for example – an issue that is well understood in the security community. Historically, there has been an absence of risk sharing in the traditional IT Industry. The enterprise bore all the financial, technical, deployment, and operational risk. The enterprise had to piece together the different technology vendors required for an end-to-end solution, and was responsible for making sure the various parts worked together. In this traditional IT model, the enterprise was responsible for coordinating deployments across vendors while assets lay idle. This risk model changes with the IT Infrastructure Utility, which involves sharing of the enterprise risks, and this includes security capabilities at the lower layers. As the industry gains awareness that this IT Infrastructure Utility is available in the market along with its financial, operational, and security benefits, enterprises security teams will come to recognize the value of this approach for protecting the enterprise from cyber attack.