In 1984, when Award Software began building BIOS firmware for IBM-compatible PCs, the computing stack was simple enough to diagram on a napkin. Hardware at the bottom. BIOS above it. Operating system next. Applications on top. Each layer trusted the one below it implicitly, and the foundation — the BIOS — was a few kilobytes of read-only code burned into a chip.
Four decades later, the infrastructure stack has grown beyond recognition. But the fundamental principle hasn't changed: every layer depends on the integrity of the layers beneath it. What changed is what "beneath" means — and how we verify trust at each boundary.
The eras of IT infrastructure
1984–2000: The firmware era
The BIOS was the first code that executed on every PC. It performed the Power-On Self-Test, initialized hardware, and loaded the operating system. Security wasn't a design consideration because the threat model didn't include it — the BIOS chip was physically soldered to the motherboard, and modifying it required specialized equipment.
Award BIOS, AMI BIOS, and Phoenix BIOS collectively powered nearly every PC manufactured during this period. The BIOS was invisible to most users and most administrators, which was the point — a foundation layer that simply worked.
The infrastructure stack was physical. Servers lived in closets, then dedicated rooms. Networks were Ethernet cables and hubs. Security meant locking the server room door and setting Windows passwords.
2000–2012: The network perimeter era
The internet changed the threat model. Suddenly, infrastructure had an edge — a boundary between the trusted internal network and the untrusted external network. The security paradigm became perimeter defense: firewalls, intrusion detection systems, VPNs, DMZs.
The foundation layer shifted from hardware initialization to network architecture. If the firewall held, the internal network was considered safe. This model worked well enough when users, devices, and applications all lived inside the perimeter.
Meanwhile, the BIOS transitioned to UEFI — more capable, more complex, and for the first time, writable from software. Firmware updates became routine, but so did firmware-level attacks. The foundation layer that everyone trusted implicitly had become modifiable without physical access.
2012–2020: The cloud migration era
Cloud computing dissolved the perimeter. Applications moved to AWS, Azure, and Google Cloud. Users worked from home, coffee shops, and airports. Data flowed through SaaS platforms that the IT department didn't control. The firewall-as-foundation model collapsed because there was no longer a clear boundary between inside and outside.
Identity became the new perimeter. If you could authenticate as the right user, you could access resources from anywhere. Single sign-on, multi-factor authentication, and identity providers (Okta, Azure AD) became the infrastructure that everything else depended on.
This era also saw the rise of the managed service provider as an infrastructure layer itself. Organizations outsourced the management of their computing stack to MSPs, which meant the MSP's security posture became part of the client's foundation. A compromised MSP meant compromised clients — a supply chain risk that the industry was slow to recognize.
2020–present: The zero trust era
The pandemic accelerated a shift that was already underway. Remote work made the perimeter model impossible. The SolarWinds breach (2020) demonstrated that supply chain attacks could compromise even well-defended organizations. Ransomware attacks on MSPs (Kaseya, 2021) proved that IT service providers were high-value targets specifically because of their access to client environments.
Zero trust emerged as the architectural response: never trust, always verify. Every access request is evaluated based on identity, device health, location, and behavioral patterns — regardless of whether the request originates inside or outside a network boundary.
The foundation layer didn't disappear. It expanded. Today's trust boundary spans from firmware integrity through hardware attestation, operating system security, identity verification, network segmentation, and continuous behavioral monitoring.
The modern infrastructure stack
Today's IT infrastructure is a layered trust chain. Each layer depends on the integrity of the layer below it — the same principle as the original BIOS, scaled across a distributed, cloud-hybrid, identity-centric architecture:
| Layer | Foundation role | Trust mechanism |
|---|---|---|
| Hardware/Firmware | Platform integrity | Secure Boot, TPM attestation, firmware signing |
| Operating System | Runtime environment | Code signing, integrity monitoring, EDR |
| Identity | Access decisions | MFA, conditional access, just-in-time privileges |
| Network | Communication paths | Microsegmentation, encrypted transit, ZTNA |
| Application | Business logic | API authentication, input validation, WAF |
| Data | Business value | Encryption, classification, DLP, backup |
| Policy/Governance | Risk management | Compliance frameworks, audit, continuous monitoring |
What this means for IT service selection
Understanding the infrastructure stack as a trust chain changes how businesses should evaluate IT service providers. A provider managing any layer of this stack is a link in the trust chain. A weak link at any layer compromises everything above it — exactly as a corrupted BIOS compromised every application running on the machine.
The questions that matter are:
- Which layers of my trust chain does this provider manage?
- How does the provider verify integrity at each layer it manages?
- What certifications or attestations demonstrate the provider's own security posture?
- How does the provider detect and respond to compromise at the layers it controls?
The BIOS was invisible infrastructure that everyone depended on but nobody examined. Today's IT infrastructure is vastly more complex, but the lesson from the firmware era applies directly: the layers you don't inspect are the layers that fail you.
The Award BIOS perspective
This site exists because the principle that drove BIOS design — build a reliable foundation that everything else depends on — is the same principle that drives sound IT infrastructure today. The technology changed. The architecture changed. The trust model changed. The importance of getting the foundation right didn't.