Centralized, Distributed or Both?

Oct. 27, 2008

It was 1977 and only the second airplane trip of my life, although I was almost 21 years old. The first had been several weeks earlier when, after a quick induction into the military, I was first uprooted from my sedate midwestern hometown and deposited in San Antonio, TX, to begin what would turn out to be a 17 1/2-year Air Force career. This second aerial journey was taking me to my first permanent duty assignment, the northern tier bomber base at Plattsburgh, NY. It was a place I had only recently located on a map.

The military assignment system is loaded with irony and droll humor if you look for it. A permanent change of station, or PCS, means that you are being sent to someplace where you are slated to stay for no more than three years. I had been required to fill out a form in technical training school requesting my preferences for places I would like to be PCS'ed. Everyone in the service knows the form by its nickname: the dream sheet.

Since I had enlisted in the Air Force seeking travel and adventure, my dream sheet was a catalog of every exotic and enticing locale that captured the fancy of a bored young college dropout raised in a tiny house in an Illinois factory town. I asked for Hawaii, Germany, Japan and England, among others. My friend from training class was a Puerto Rican kid who had grown up in New York City. His dream sheet only listed New York and New England. He wanted to stay near home. When our orders arrived at the end of training, he was headed for Europe, and I was going to New York. Trading wasn't allowed.

I was now sitting in a tiny seat aboard a small, twin-engine turbo prop with three other passengers, bouncing through the skies of central New York State, dodging the electrical storms that flashed around us. We had departed from Albany after a lengthy delay and were now headed due north. Around midnight, we landed at an airport that sported a terminal no bigger than a large garage. It was pouring rain, and we were soaked when we ducked through the door of the tiny waiting lounge. Since our flight was late, only one airline employee was on duty, and she was out on the ramp with her slicker on, pulling our luggage out of the baggage compartment.

As I shook my coat and ran my hand across my brush cut, I spotted a guy in fatigues wearing a government-issued raincoat. He tossed his cigarette butt in the ashtray, and as he exhaled a last lungful of nicotine, he growled, You McCumber?

Yes, Sir. Airman John McCumber reporting for PCS to Plattsburgh Air Force Base, I said, proudly remembering what I had been taught.

Save the formalities for your commander tomorrow, he relied blandly. I'm just the on-duty motor pool auxiliary driver. You're the only one on our pick-up list tonight and you're late. Get your duffel and get in the truck outside, he said without an introduction or handshake.

We drove the roughly 20 minutes to the base, mostly through the small town of Plattsburgh. The driver seemed annoyed and tired, so I tried to keep my observations to myself. The town looked shockingly like home. In some ways, I was disappointed. As we turned on to the base, we were waved through the gate by a sentry and drove down the main road toward the large hangars looming in the darkness.

The feature that caught my eye in the late-night gloom was the gleaming silver pipeline that ran along both sides of the main road. Each pipe was about eighteen inches in diameter, and the system ran at about waist height for several hundred yards before it plunged into the ground only to emerge a few feet later and run for several hundred more yards. My curiosity overrode my desire to avoid a caustic reply from my testy chauffer.

Hey, what the heck are these huge pipes running along the sides of the road? Is that how they pump fuel to the aircraft? I asked, trying to sound reasonably perceptive. He began his answer by laughing at me.

Fuel. Not hardly. Those carry steam for heating. A mile or so up ahead is a huge steam-generating plant. These pipes run from it to buildings all over the base. It's only August, but wait until winter gets here. This place gets colder than a witch's elbow. These pipes bring heat to the major buildings. They run above ground because that way they are easier to fix and maintain. Now, here's your barracks on the left. Go in and see the CQ on duty to get a room. He paused. Wait until it starts getting cold. You're going to hate it here. We all do.

I was positive neither the base commander nor the local Chamber of Commerce would have endorsed the driver's welcome to a new assignee. However, I was too tired and wet to give it much thought. I found the CQ, who ushered me down the barracks hallway and opened a room with a spare bed. I'd have to wait for two days to get sheets and bedding, but I happily accepted the olive-drab wool government-issue blanket he offered.

As I was indoctrinated in my duties as a junior computer operator over the next few weeks, I often thought of those steam pipes I saw every day. Some engineer had obviously determined it was more cost effective to produce the heat in a centralized location and pump it around a small city than to generate heat at the site of each building. I had never encountered the concept before.

I soon reflected that the mainframe computer I ran worked in much the same way. I was assigned to the swing shift on the large mainframe that supported the military mission of this northern outpost against the Soviet threat. The computer room itself was the size of a respectable barn. It took up several thousand square feet of floor space when you factored in all the peripheral equipment, such as tape drives, card sorters, printers and punches. Simple twisted-pair telephone lines connected it with various organizations around base that used the computer for functions such as tracking supplies, maintaining personnel files, and recording flying hours and maintenance records.

Security for this environment was rudimentary but effective. The computer itself was housed within a secured facility inside another building. Access was carefully controlled, and someone was on duty at all times. You needed a special badge to even enter the facility, and another code to enter the computer room. Augmenting the physical protection was a brace of diesel generators that engaged to maintain processing functions when the electricity was interrupted. Connections to our base customers meant you had to have a special terminal hard-wired directly to the computer for access during the daily online period.

After business hours, the online sessions were terminated and batch processing began. On those rare occasions when a classified report needed to be produced, it would be processed during these off-hours times when the only access to the processor was by the specially cleared operator who manned the controlling terminal in the computer room. A centralized, mainframe computer environment meant that centralized security was supported and often enforced by the architecture of the computer system itself.

But that era was short-lived. Right now, I am typing this article on a laptop (at 35,000 feet) that has more computing power than that barn-sized system that supported an entire Air Force base. Processing now takes place at endpoints everywhere and anywhere. Computing power has become a commodity, like electricity or water. Systems used for storing and processing sensitive organizational information are often also used for personal business and can accompany employees on business travel and vacations alike. Contact lists, corporate strategy reviews, customer data and trade secrets enter and leave corporate facilities every day. The lack of centralized control over these critical assets can make securing them nearly impossible.

Security management (both physical and cyber) is, by its nature, hierarchical, autocratic and policy-driven. Current and evolving computer systems have broken away from centralized management and have created an exponential increase in vulnerabilities associated with corporate IT infrastructure. As this distributed environment grows apace, security practitioners are faced with the daunting challenge of adapting their technology, procedural, and human factors safeguards to deal with the trend. It will be no use to complain about distributed information processing and far-flung data it's happening all around you. If you are a security practitioner, your job will demand you provide protection of these resources and capabilities using the traditional security models with a large dose of creativity to keep up with changing technology and mobile information resources.

John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at [email protected].