Do you know what your enterprise is running on?

Filed in archive Security on April 14, 2008

Amusing anecdote from Sun's Jonathan Schwartz today with a cautionary lesson for CIOs everywhere buried in it.

The upshot is that, not long after Sun acquired MySQL, Schwartz and his team were visiting with a customer's senior IT staff and Schwartz asked if they wanted an update on MySQL in addition to the products they were already using. The corporate CIO laughed at the offer, and the security officer said, "We can't just let developers download software off the net, you know, we've got regulation and security to worry about." Only, one of the Sun team had already checked the stats, and found that there had been more than 1300 downloads of MySQL to this particular company's network. It turned out that, unbeknownst to the CIO and his alleged security expert, his developers were using the product intensively.

As Schwartz points out, this is hardly unusual in large corporate networks. What is more unusual is a CIO who is either naive enough to not realize this or hasn't put together a security team that can genuinely and confidently prevent it.

I think you can make arguments either way as to whether or not downloading and using open source software (or any other software, for that matter) freely and without corporate controls is a good idea, but if you think it's a bad idea and you imagine it's not happening without your having put in place solid, verifiable measure to prevent it, you are significantly out of touch with information technology today.