Trusting systems

by James Gaskin

August 27, 2007 —

Listen to the column Trusting systems, or visit our Podcast Center to hear more by James Gaskin.

Who do you trust? Your spouse? Your boss? Your dog? Your software?

Standard answers: Dog absolutely, spouse probably, boss maybe, but who thinks about trusting software? Smart, high performing companies. A leading vendor in this new space, SignaCert (.com), aims to automate software trust, audit trails, and best practices to enable more companies to reap the benefits of management automation reliability.

Building upon work done in his previous company, Tripwire, Wyatt Starnes started SignaCert to go one step beyond change management (detailed last month) and build "white lists" of authorized and validated enterprise software. Starnes called to explain how the IT business lags behind mature automated industries like telecom, automobile manufacturing, and airlines.

"Airlines don't fly until all the lights are green in the cockpit. We do it all the time in IT," says Starnes. Worse, we don't even have lights on most critical systems.

How much do you trust your SQL databases? Can you verify all changes made to the code? Tripwire helps, but what if you could certify a gold standard installation of an SQL database for your company as a baseline, and automatically verify each patch before applying same?

When you absolutely control software code changes, you increase uptime. For industries such as financial services, one more decimal of uptime means saving millions of dollars per year. Tracking code from a known reliable state through each change, automatically, saves serious money.

Automating software control means working with outside vendors (Microsoft et al) and inhouse developers. After all, doesn't much of the code applied to your servers come from fellow employees?

Those familiar with Bill of Materials component presentation understand the value of seeing every piece of an assembly listed, tracked, and verified separately. It works for automobile transmissions, and it will one day work for your software applications, allowing you to track and verify every component, patch, and modification.

"Platforms aren't required to exchange trust credentials," says Starnes, "just identity credentials. Soon we'll express identity and trust before exchanging information." He calls this a positive measurement model, like a white list of known good addresses for your spam filter.

Pricing starts at about $200 per managed device, and financial services companies make up most of their dozens of customers. The drive to automate trusted software controls is new, but critical to companies eager to institute best practices and increase system reliability.

ITworld.com