We pretty much accept now that one price we pay for relentless technological advance is a parallel growth in IT risk.
Whether it’s from government-sponsored cyber-attacks or corporate system meltdowns, fallout from IT failures and abuses seems to get more earth-shattering with each passing headline.
Some talk of a potential techocalypse, although I wouldn’t trust the prophecies of anyone prepared to do that to the English language.
It’s not that IT failures and breaches are a new thing.
Thirty-odd years ago I remember being called in to a very senior manager’s presence following a particularly unpleasant IT outage, to be forcibly reminded that our business lived or died by its IT, and that this time we were very lucky it hadn’t died.
That particular failure involved an old-fashioned, monolithic mainframe system. Since then the number of moving parts in our tech has grown exponentially as we’ve evolved from client-server to web to services to Cloud.
This growth in complexity has made it harder to get your arms around the whole stack and control it, and easier for the bad guys to find a way in.
Of course, for a long time we’ve been harnessing technology to mitigate the effect of mushrooming complexity, developing tools for everything from automated testing and configuration management to anti-malware and smart firewalls.
And we’re almost keeping up. Almost, but not quite, hence the continuing ‘IT Meltdown’ headlines and the tendency of CIOs still to jump at sudden loud sounds.
How can we move from ‘almost keeping up’ to being ahead of the game?
Continuing to develop tech to help reduce risk seems a good plan, and there are lots of innovations out there.
But I fear that a lot of this work is incremental rather than transformational. We’re reacting to new risks and threats, which makes it tough for us to get ahead of the game.
A web application firewall is a much more effective tool than one that just filters dodgy IP addresses and protocols, but it’s still fundamentally just a firewall.
Maybe we need a more revolutionary approach to get ahead of the bad guys and the inevitability of human error.
(I will pause at this point so that everyone who is already working on such revolutionary approaches can take a moment to shout at the screen and bang their heads against their keyboards – sorry I haven’t got to you guys yet).
What will such game-changers look like?
I have absolutely no idea, although two random thoughts which sprang to my mind when I got onto this were canaries, and fingerprinting for computers.
You may well know that in days of less enlightened animal welfare, coal miners took canaries down the mine because the poor creatures would be the first to succumb to any poison gases, thus giving their human oppressors a window to get out before the fumes got to them.
I’m not proposing that we start putting tropical birds in datacentres. It would certainly make them pleasanter, but it’s hard to see how it would mitigate any risk.
It’s the basic idea of having an IT canary equivalent; an early warning system to reduce the risk of planned change, and perhaps to mitigate some external threats.
You may say that we already have our IT canaries in the form of test systems and pre-production environments.
The challenge with these is that they never quite mirror the production environment 100%, and the costly failures tend to happen in the gap.
Every time an IT implementation snafu hits the press, someone pops up and asks why they didn’t test the change. Of course, they will have done, it’s just that 100% testing is getting harder and harder to achieve.
The true canary for IT is a parallel system which mirrors the live environment exactly, contains the same data, has the same inputs and outputs and executes the same transactions; effectively a digital twin.
Planned changes get deployed to the digital twin and rolled forward to the real system after a suitable time lag if there are no glitches, with the parallel environments being managed by some kind of hypervisor.
Such a thing would have been impossibly costly when I started out as an IT manager, but I believe our virtualisation capabilities must now make it realisable (please let me know if it has been and I’ve just missed it).
Some of the capability was certainly there a few years back when I was responsible for the network supporting a major new service-based enterprise platform.
In spite of meticulous configuration control and numerous test and pre-production environments, we had a number of instances where changes to the production environment led to unforeseen and unwelcome consequences, because there were just too many components and variables in play.
At the time I was looking at network modelling tools which would allow us to create a virtual replica of our network, and it occurred to me that in principle we should be able to extend the scope of such a tool to a whole environment.
The IT canary might have some application in cyber security, but I believe the real revolution there needs to be in trust between devices, which is why I started thinking about giving computers fingerprints.
We have lots of neat stuff like Blockchain and tokens to manage trust between devices in a fluid and complex environment, yet we still seem to be more successful at authenticating people than computers.
That’s because people have lots of organic bits like voices and fingerprints which are much harder to spoof than an IP address.
Maybe one way to deliver more effective IT security is to start building that kind of organicity into our IT?
That’s as far as I’ve thought on this, apart from one thing.
One of the last areas Alan Turing explored was the mathematics of genetics and organic growth which underlie apparently random and unique natural patterns like the patches on a Friesian cow or, indeed, a fingerprint.
So much of Turing’s thinking has ended up underpinning IT, I think it would be pleasing to see that last piece added to the jigsaw.
I trust that Techocalypse will not strike, at least not until we come up with a less nauseating term for it, but whether it’s canaries, fingerprints or something else, I believe the time is ripe for something revolutionary to help our CIOs sleep sounder.