Register for a free consultation!

System Security or You don't know what you are doing (again).

5/12/2016 10:46 AM

Not too long ago I was invited to talk to the IT leadership of a “well-funded financial startup-up” in Charlotte, NC. As usual, they wanted to tell me why they were doing it right and how thorough they were being and weren’t really interested in the expert opinion. They didn’t have the doors open yet but did have 20 or 25 developers sitting around throwing paper airplanes at each other. The CIO went on about Enterprise Service Bus (ESB) and how that made his data so much more secure. I asked him if that was an ESB like Sony, Adobe, Zappos and Yahoo employed (click here for an article about it) So if these big, successful companies can’t secure their own data, who can? To answer that question, we need to look at what they are doing and where it went wrong.

Hundreds or thousands of disparate systems

In the beginning there was a man and he did work. He was a farmer or a smith and he took a youngster in and taught him a trade. With the industrial revolution things started to specialize more. You had one person doing one little part of the job, another procuring the pieces that person needed to do the job, a third overseeing the job, and a fourth keeping accounts of what the first three cost. That’s all well and good and obviously worked or we wouldn’t still be doing the same exact thing today. Every department in every mid-sized to large company on the planet is its own little fiefdom with its own little squire/knight/baron/viscount/duke/earl /king/queen and they do everything differently. The powers that be run out and buy some piece of software to help them do their jobs and spend hundreds thousands and sometimes millions of dollars implementing it. This leads to one or more disparate systems for every department in a company. Nobody in this company knows who wrote the software, how secure it is or usually even how it was written or what language it’s in. As Sony and even Adobe found out, you literally can not secure all these systems. (or, you don’t know what you are doing.)

Bob Cratchit

Charles Dickens published “A Christmas Carol” in 1843. Jacob Marley was the squire/night/baron of a small accounting firm and he employed Bob Cratchit as an accountant. Bob sat around all day and wrote and tallied columns of numbers in a spreadsheet. The only difference between what was happening then and what is happening now is that the spreadsheet is behind the plastic sheet that is the screen of your monitor. Bob had ink stains on his fingers, you get carpal tunnel. When Bob was done, he folded up his spreadsheet and put it in a file cabinet somewhere. You email yours to someone in another department to file or make some arcane decision or just pass it along, but it is all the same and it isn’t secure. So if we can’t secure email and spreadsheets and we can’t have hundreds of disparate systems, what do we do?

The Solution

First, feudal leadership doesn’t understand Information Technology so remove them from the decision making process, except at a high level. That means they get to pick Java/Oracle or .NET/SQL Server but that is it. (Basically Microsoft v. non-Microsoft technologies) Second, build one application that does everything that needs to be done. This sounds a lot like an Enterprise Resource Planning (ERP) system, but it isn’t. Once you break down what a department actually does, you’ll find that most of the people are shuffling papers typing into spreadsheets or eating donuts but not getting much done. All we really need to do is find the inputs, find the outputs and connect them together in the simplest way possible, taking human decision making out of the process. We all lived through the Great Recession of 2008. That was caused by speculation in the mortgage industry. Bankers gave loans to people who couldn’t pay them back thinking that housing could never actually lose value. They were wrong. By taking people out of the decision making process (which the federal government did by saying ‘you have to have 20% cash down to buy a house’) we have a mortgage system that people can’t screw up. But what does a bank really do? They take deposits from clients, and they loan those deposits back out to them. Sure there is some black magic in the background with time value of money and traders and playing the stock market, but outside of that and actually talking to customers everything a bank does can be automated. …and should be. In Sentia’s little world, there would have been no disruption in 2008 because the one system would have not loaned money to people who couldn’t pay it back, they would have taken the greedy bankers out of the equation and not lost trillions and caused worldwide famine and death. This is NOT an exaggeration. That still doesn’t make our data secure, does it? Once this one system is in place, we only have to worry about securing it and nothing else. We have to secure it at the lowest level first, that is, the database level. What our developers do is require a Globally Unique Identifier (GUID) for every interaction with the database. This GUID identifies not only the user, but the user’s session. That means that the unique combination of the specific user and that specific login time of that user are identified. One of the more clever attacks is the “Man in the Middle” ploy where a hacker opens a new session while a user is logged in spoofing his or her credentials. Since this is effectively a new session, we automatically deny this attempt. ESB (remember them?) does not. Also, since we Identify the user with this GUID, we can lock down the database so tightly that nobody save the system administrator can even see the tables (where the data lives). This GUID is issued by the database server and transmitted to the application server (where the web service or web application lives) and is never transmitted across the internet. All that is great, but nobody can build this ONE application, right? Who ties the bell on the cat? Sentia does. We have a set of tools that can not only generate entire applications, but import data into them from legacy software. We can also import data from machines that we don’t’ want to redesign. If a car painting robot has a database that tells us how much paint and how many cars goes by in the day, we’ll not reinvent the wheel, and we can use that data as if it were native and actually resided in our application. What is the conclusion? You are doing it wrong, big business. You have thousands of Bob Cratchits and Jacob Marleys running around making idiotic decisions wasting resources and gumming up the works. These people (at least the Bobs) know they are doing it wrong and have a thousand ideas about how to do it better, but can’t get the ear of the aristocracy to shout “The King has no clothes!” How is that for some metaphor mixing? What we need is strong, knowledgeable leadership that at least knows what they don’t know and isn’t so arrogant that they can’t hear “The King has no clothes!” …and the King IS naked. Sentia is working right now to completely redesign the way health insurance is managed. You can read all about that in the blog prior to this one. That application is done and has several thousand users and will cut about 1/3 out of the cost of healthcare for every man, woman and child in the United States. We also have an application in the works to manage credit unions and after that will come small banks. My vision is that the Bank of Peoria (or Fannin County or whomever that is barely making it now) with some good leadership and automated processes can grow and take over the too-big-to-fail financial institutions by simply being more agile, more efficient and better able to follow the rules that get the arrogant squire/duke/king into trouble. If this doesn’t happen, don’t look at us. We are doing everything we can to get the word out. Nobody really wants to hear that the King is naked, even if by saying it they could have the throne.

Date Written Comment

Add Comment: