IT Vulnerabilities Remind Us of the Need for Action




PHOTO:
Dmitry Ratushny

A new year is a time for reflection, a practice corporate IT would do well to adopt. Although I took some time off over the holidays, a number of events, trends and news kept me busy. In December, it was the Log4j security vulnerability, whose full consequences remain unknown as the Trojans may still be slumbering in yet to be identified systems.

The threat to corporate IT from Log4j and related extortion attempts is far from over, so companies should continue to keep a backup from before December 1, 2021, just to be safe.

Log4j Is Not Open Source’s Fault

People have used the vulnerability as an excuse to argue against open-source solutions, stating they are not as secure. But keep in mind proprietary, closed software has its fair share of security holes. If the code is open, at least theoretically more developers can look inside to fix the bugs. Of course, Log4j made it clear that even open-source solutions are not and will not be bug-free. If the code is then widely distributed, as in the case of Log4j, it can have corresponding widespread effects, which will hopefully not be as dramatic as the rule.

An error in Microsoft Exchange at the turn of the year reiterated that software errors unfortunately are part of the everyday life in IT — and more broadly, to our everyday lives. Headlines online noted how the ‘Y2K22 bug stops Exchange mail delivery’ and how ‘Antimalware engine stumbles over 2022.’  Some versions of the Exchange server (2016 and 2019) failed to deliver emails at the beginning of the year because an incorrect date format could not be processed in the integrated malware scanner. The bug has since been fixed, but some servers are still hiccuping and it will take a while before all of the emails go out. Once again, a reminder of the vulnerabilities of the systems we rely on so heavily.

Related Article: Equifax Breach Drags Open Source Security Into Spotlight Once More

AWS Outage Takes Out Netflix, Disney+ and More

Another end of year story that flew slightly under the radar was the Amazon Web Services outage in early December 2021. The outage affected many companies on the East Coast of the U.S. However, in this case, the disruption exemplifies how much individuals and businesses depend on “the cloud,” in this case, market leader AWS. Suddenly Disney+, Netflix and the devices in the smart home no longer worked.

But we are dealing with enterprise IT here. The incident forced companies and government agencies to realize that they too are dependent on the cloud, even if they thought they had no contracts with Amazon. But when Trello or Slack stopped running, it was precisely because these solutions use Amazon Web Services.

One other factor in our cloud dependency to remember: most of the time we’re not just using one cloud anymore. When we have Microsoft Office products in use, use Trello or Slack, migrate to SAP S/4 Hana, or use other solutions from HR to supply chain, we as a company automatically have different cloud providers in use, even if it’s not perceived that way at first glance. The multi-cloud is mostly already a reality today. Companies will not be able to get away from this for cost reasons alone. A complete return to the company’s own data center is probably no longer possible. Instead, there will be a hybrid cloud world in which various cloud providers and the private cloud are used in the company’s own data center.

Related Article: How Baseline Security Practices Could Have Prevented Recent Cloud Attacks

Challenges for Corporate IT: Multi-Cloud, S/4 Hana, Cybersecurity

All the incidents described show how sensitive our critical IT infrastructures are, how quickly and consistently we often have to react, and how much expertise we need in setting up and, above all, running and managing our own corporate IT. Cybersecurity may be the topic for 2022, building and managing a hybrid multi-cloud remains on the agenda alongside the migration to SAP S/4 Hana that many companies are facing. Companies will have to think about how they can remain as independent as possible in the cloud world, potentially move solutions from one cloud to another. They will have to look at how important resilience is to them and what they are willing to pay for it. Will they really allocate the money to run critical systems in two or even three Availability Zones?

These are all special challenges at a time when IT specialists are being frantically sought, from security experts to SAP specialists. I venture to predict that companies and the administration will need external expertise and partners just as much as they should think about new concepts to bundle and share expertise, for example in the area of cybersecurity. And the issues and challenges cannot be put on the back burner. The incidents described have shown that.

Stefan Pfeiffer is working in Communications for Kyndryl Germany, the spin-off from IBM delivering Managed IT Infrastructure Services. Prior he was in different Marketing for IBM joining IBM from FileNet acquisition.



Source link

We will be happy to hear your thoughts

Leave a reply

Logo
Reset Password
Shopping cart