The Evolution of Technology and the Rise of Information Technology
In the early days of computing, securing information was relatively easy. Information was stored in a locked room, on a large mainframe computer, with a proprietary operating system, supporting tightly controlled remote access from known locations. Figure 1 depicts this type of environment.
The dumb terminals used to access applications and data on the mainframe were incapable of storing data locally; they had no disk drives. Viruses were unknown because information couldn't be loaded or downloaded to terminals, and the Internet wasn't a critical business network. Physical access to the mainframe was necessary to load programs. Even then, the permissions necessary to load applications were very tightly controlled. In addition, technology that allowed the easy download and removal of information, such as thumb drives, didn't exist. Access to the information on mainframes was effectively controlled by a few User IDs, passwords, and locked doors.
The next major innovation in business processing was the personal computer (PC). The PC introduced new security concerns. First, much of an organization's processing was moved to the PC. Unlike dumb terminals, PCs had local processing capabilities and local storage devices. In addition, PCs provided opportunities for placing confidential information on removable storage, such as a floppy disk, which could be easily moved to unauthorized locations. Second, organizations began to connect PCs together in LANs. This allowed the movement of information between PCs and a mainframe. See Figure 2. As more and more information moved about an organization, there were additional opportunities for it to be intercepted by unauthorized individuals.
Third, PCs introduced non-proprietary OS's, like MS-DOS. (Microsoft Disk Operating System). With the proliferation of these OS's came the birth of viruses. Early viruses were spread by floppy disk sharing or by moving files from one PC to another over the LAN. Finally, PCs were frequently equipped with modems. Connecting a simple telephone line to one of these communication devices provided users with access to the outside world. Although the Internet didn't exist, threats to information security were still downloaded into business environments by unsuspecting business users.Like with the mainframe-only environment, security was primarily provided by User IDs, passwords, and locked doors. The mainframe remained the primary center for the processing and storage of critical business information.
Over time, the simple PC evolved into a PC server. The combination of the processing power of the PC server and the convenience and flexibility of desktop PCs led to less dependence on the more costly and proprietary mainframe. Dumb terminals were gradually replaced by PC's. Figure 3 depicts a LAN centric network. The mainframe has become just another network attached device. The primary device used to access the mainframe has changed from the dumb terminal to the desktop PC. Modem pools were replaced by more flexible and secure remote access routers.As LAN's grew, so did the decentralization of an organization's information. No longer was information stored in a centralized mainframe. Much of the information necessary to operate the business was located on multiple servers or desktop PC storage.
One of the most significant developments, however, was the introduction of the Internet. This public, shared, global network was accessible from both controlled access points as well as uncontrolled access points, such as locally attached modems. Customers and vendors began insisting on business use of the Internet for email, file transfers, or simply providing general information about an organization. Along with vendors, customers, and employees, crackers also got busy transforming their viruses into worms and trojans that had the capability of moving effortlessly across the Internet's various nodes.Today, the mainframe is usually absent from an organization's network. Instead, large businesses deploy hundreds of servers to process and store data. Figure 4 is a logical view of a modern network.
In today's networks, organizations must protect information as it travels across various network devices and is stored on a variety of storage media. In addition, there are multiple connections to the outside world that are less safe than in the past. For example, most organizations have a high speed connection to the Internet. The Internet is like the Wild West; no one is in control and it's each person's responsibility to provide protection for himself. Many organizations have multiple locations, each with a LAN, storage, and outside connections. This significantly increases the risk to critical information. Although the move from isolated, centralized processing to distributed, connected networks has improved business agility and productivity, it has also introduced a host of security challenges. This resulted in the elevation of Information Security from simple account management to an integral part of business operations.