This is a tough category to define because it changes as the underlying infrastructure changes. We have gone from mainframes to large-scale Unix to hardware-defined data centres, to software-defined data centres to the cloud. To a certain degree, all of these are present today and, in addition, we have hybrids that include two or more of these paradigms. Along with the changes to the underlying architectures the security stack protecting them needs to evolve.
In this year's Security Infrastructure section, we have focused on large-scale enterprise resource planning (ERP) security, remote session security and industrial control systems (ICS)/IoT/hybrid security. These different products take different approaches, but they all seek to address the fundamental CIA requirements of its target infrastructure. One thing that is notable is that the application layer is as likely to be included directly in the security stack as not. This is a fundamental shift in that rather than deploying security for the network infrastructure and separate security for the application layer, these products – especially when it comes to defending an ERP system – take a completely integrated seven-layer approach.
The reason, more or less obviously, is that applications are so tightly interwoven with the hardware and communications architecture that it is difficult to address, effectively, the network model in layers. We are reaching an all-or-nothing world when it comes to deploying a security infrastructure. For example, ERP systems are anywhere from two to more layers thick. They usually contain at least a database layer and a processing layer. They may use a web interface or have a third, discreet, visualisation layer.
Access to any of the outer layers by an attacker can spell access to the backend data if the infrastructure security is not in place and effective. In fact, if the user interface is web-based, that implies a web server somewhere. Web servers can be notoriously unsecure if not protected properly so compromise of the web server can mean a free ride inside.
The three Innovators we have selected this year really show that an effective, seven-layer type of deployment – while not trivial – is doable. You just need to be, well, innovative.