Centralized, Distributed or Both?

It was 1977 and only the second airplane trip of my life, although I was almost 21 years old. The first had been several weeks earlier when, after a quick induction into the military, I was first uprooted from my sedate midwestern hometown and...

Fuel. Not hardly. Those carry steam for heating. A mile or so up ahead is a huge steam-generating plant. These pipes run from it to buildings all over the base. It's only August, but wait until winter gets here. This place gets colder than a witch's elbow. These pipes bring heat to the major buildings. They run above ground because that way they are easier to fix and maintain. Now, here's your barracks on the left. Go in and see the CQ on duty to get a room. He paused. Wait until it starts getting cold. You're going to hate it here. We all do.

I was positive neither the base commander nor the local Chamber of Commerce would have endorsed the driver's welcome to a new assignee. However, I was too tired and wet to give it much thought. I found the CQ, who ushered me down the barracks hallway and opened a room with a spare bed. I'd have to wait for two days to get sheets and bedding, but I happily accepted the olive-drab wool government-issue blanket he offered.

As I was indoctrinated in my duties as a junior computer operator over the next few weeks, I often thought of those steam pipes I saw every day. Some engineer had obviously determined it was more cost effective to produce the heat in a centralized location and pump it around a small city than to generate heat at the site of each building. I had never encountered the concept before.

I soon reflected that the mainframe computer I ran worked in much the same way. I was assigned to the swing shift on the large mainframe that supported the military mission of this northern outpost against the Soviet threat. The computer room itself was the size of a respectable barn. It took up several thousand square feet of floor space when you factored in all the peripheral equipment, such as tape drives, card sorters, printers and punches. Simple twisted-pair telephone lines connected it with various organizations around base that used the computer for functions such as tracking supplies, maintaining personnel files, and recording flying hours and maintenance records.

Security for this environment was rudimentary but effective. The computer itself was housed within a secured facility inside another building. Access was carefully controlled, and someone was on duty at all times. You needed a special badge to even enter the facility, and another code to enter the computer room. Augmenting the physical protection was a brace of diesel generators that engaged to maintain processing functions when the electricity was interrupted. Connections to our base customers meant you had to have a special terminal hard-wired directly to the computer for access during the daily online period.

After business hours, the online sessions were terminated and batch processing began. On those rare occasions when a classified report needed to be produced, it would be processed during these off-hours times when the only access to the processor was by the specially cleared operator who manned the controlling terminal in the computer room. A centralized, mainframe computer environment meant that centralized security was supported and often enforced by the architecture of the computer system itself.

But that era was short-lived. Right now, I am typing this article on a laptop (at 35,000 feet) that has more computing power than that barn-sized system that supported an entire Air Force base. Processing now takes place at endpoints everywhere and anywhere. Computing power has become a commodity, like electricity or water. Systems used for storing and processing sensitive organizational information are often also used for personal business and can accompany employees on business travel and vacations alike. Contact lists, corporate strategy reviews, customer data and trade secrets enter and leave corporate facilities every day. The lack of centralized control over these critical assets can make securing them nearly impossible.

Security management (both physical and cyber) is, by its nature, hierarchical, autocratic and policy-driven. Current and evolving computer systems have broken away from centralized management and have created an exponential increase in vulnerabilities associated with corporate IT infrastructure. As this distributed environment grows apace, security practitioners are faced with the daunting challenge of adapting their technology, procedural, and human factors safeguards to deal with the trend. It will be no use to complain about distributed information processing and far-flung data it's happening all around you. If you are a security practitioner, your job will demand you provide protection of these resources and capabilities using the traditional security models with a large dose of creativity to keep up with changing technology and mobile information resources.