André V. Mendes /
09.22.2004 12:00 AM
The Great Debate: To IT or Not to IT
I am positive that almost all of you have run into this recently. You go to a broadcasting technology conference and lo and behold! There it is. Sitting silently in the middle of the agenda, as inevitable as rain on a holiday weekend or a bad reality show during sweeps, the dreaded, "Does IT belong in your network center?"-moderated panel.
You want to skip it and get nine holes in, but you can't. After all, this might be the one panel at which somebody unveils the magic trick to this so-called convergence that everybody keeps talking about. So you sit, listen and hope for enlightenment.
But then it happens. Instead of gaining knowledge, you start hearing the same thing you have heard countless times before. One side of the aisle says "Never!" while the other side says "Now!" You might as well have stayed in the office! But the truth, as often is the case, lies somewhere in between.
THE TIME IS NOW!
On one side, now is definitely the time for a well-planned and controlled connectivity-to-baseline infrastructure. After all, most modern systems will need access to a domain controller, DNS services and other enterprise applications that may not necessarily be collocated. From a security standpoint, having a shared, well-run, authentication-and-access control service like Active Directory will allow you to establish and enforce proper password schemas that should include well-delineated and -communicated length-complexity and expiration parameters.
Since these systems need to be backed up on a nightly basis, being connected to an enterprise-level backup system, preferably one that is geographically diverse, will ensure that you can survive minor hardware crashes, data center malfunctions or even incapacitating disasters.
The majority of automation, traffic, digital asset management and other broadcast systemst now run on commodity hardware and operating systems. As such, they should be regularly checked for patch levels and upgrades to ensure they have the highest possible stability and security.
This is a work-intensive process best run in an automated fashion with an updated server. In an optimum scenario, you should have a test system, configured similarly to your on-air system, on which you test the latest releases before releasing them into production.
THE TIME IS NEVER!
On the other side, the time is never for complete and unfettered access to your mission-critical on-air equipment. This should come as no surprise even to the most optimistic IT manager.
Just because some of your equipment is on a shared network doesn't mean it has to be exposed. As with any other high-level system, your mission-critical broadcast equipment should be installed, configured and maintained to constantly exhibit the smallest possible surface of attack. What does that mean? Well for one, only absolutely necessary software services should be running at any time.
Many versions of popular operating systems will install with a bevy of services turned on by default. Your plant should research and publish a specific configuration that specifies which particular services are needed and turn off all others.
Your Ethernet connections should be configured on specific subnets whose particular purpose, traffic type and access routes are well-defined and updated within proper change management records.
Insist that your application provider develop systems to run as services rather than standard desktop applications with a standard GUI interface. This will allow you to run the applications even after you have logged off from the particular server, minimizing access to an unauthorized intruder.
If you are relying on the false security of walled-off networks and systems that never get touched after they become stabilized, you should be aware that a large percentage of all hacking is done from the inside, either by disgruntled employees or by decidedly low-tech social engineering. Keeping these systems at their original status just makes a hacker's job that much easier, not to mention that if a maintenance technician from your preferred server provider happens to have an infected laptop harboring the latest port-scanning Trojan, it will cut through your setup like an acetylene torch through rice paper, literally within seconds of plugging into your "safe" walled-off network. And then you might be stuck recreating a setup based on operating systems and drivers that are no longer supported.
So next time you listen to such a panel, wait 'til the end and then ask them this question:
"Can't we all just get along?"
Because at the end of the day, we can, we should and we must. The future of our organizations is at stake.
You can count on IT!