By David Geer
Sept. 13, 2016
BYOD challenges change management by requiring a service wrapper for a portfolio of consumer devices that is always changing as new employees and partners and their employees come on board or leave or when anyone adds, changes or upgrades their device.
How hits to change management affect security
Even in the young field of DevOps, costly errors in change management make big headlines. According to King, the risk of rapid development cycles and immature change management practices lead to Knight Capital’s swift, gigantic financial losses. “Knight Capital was a high-frequency trading hedge fund that had about 80 percent of its portfolio wiped out in a matter of minutes due to a software glitch. They lost about $440 million in about 30 minutes,” says King.
The pressing need to get IoT devices and related technological changes ready for market stands in sharp contrast to security, which is about developing and testing a good design, defining robust requirements, and then testing again and again before release, according to Mathews. The result of rushing through change management and security measures here is that each new IoT device represents an even riskier node on the internet that is even more susceptible to attack, Mathews explains.
Automation affects change management and security because there may not be an understanding of how to support the new information security requirements of automation as change occurs. This can make the enterprise susceptible to intrusion and unable to adequately respond when disaster recovery plans must execute, Davison says.
As for information technology service partnering, when partner employees don’t follow the enterprise change management process, information security risks rise, says Walker. In cloud computing environments, simply adding errors in the process of coordinating change among different cloud environments to the already precarious task of implementing federated security across these clouds can add significant risk. And when BYOD change management processes operate in a vacuum and not as part of a comprehensive enterprise change process, this can draw information security down.
For DevOps, enterprises can make compromises between the development and change management / security teams by using a sandbox for development. “Development can do anything they want in this virtualized sandbox. Security keeps the sandbox segmented from production. Once a software change passes thorough rapid testing and QA and security scans, they can push it into production,” says King.
Developers must use trusted tools from trusted sources inside those sandboxes so that attacks don’t enter through holes created by cloned tools that hackers have purposely packed with vulnerabilities and malware.
For IoT, the enterprise needs to restructure information technology to monitor, track and support new apps and devices through investment in security governance, protocols, standards and procedures, says Mathews.