Sep 04

Checkbox Security


Is security something that you feel you HAVE to do? Are you doing the bare minimum required by your auditor? Are you “Checking the box”?

In my role as Virtualization Evangelist, I seem to talk to mostly IT people. I endeavor to educate them on using VMware infrastructure as a layer (or multiple layer) of defense in depth. I spend a LOT of time trying to connect the dots between security and IT. I keep running into the same issues over and over.  The attitude of “I’ve got a firewall and AV so I’m ok” is pervasive.

Newflash: You’re not OK. Just ask your security guy.

There are a lot of really nasty people out there who are trying hard to get at your stuff. Firewalls are porous and AV, well, it’s not going to help you with a zero day attack. I’m not knocking firewalls and AV. They most definitely have their place as part of the “Defense in Depth” story. Just pointing out that they can’t be your ONLY solution.

Checking the Box

Sure, you can implement all the stuff that you HAVE to to check the box. You may even get the thumbs up from your auditor that you’re “Compliant”! But are you SECURE? Are you protecting the assets of the business or just covering the assets? (Read into that what you will :))

What’s needed is a sea-change in approaching security. Using every asset at your disposal is critical. With the changes coming in VMware vSphere V5.1, you’ll now have more security tools at your disposal. For example, in all editions of vSphere V5.1 is the inclusion of vShield Zones and Endpoint, providing you the ability to manage your firewalls at the vNIC level, providing increased isolation between VM’s. This is a great first step in being able to use firewalls and AV at scale.

Also, and here I go again, you need to leverage automation. Measurement of critical assets and those measurements feeding into a GRC solution like RSA Archer can help you wrap a workflow around things that need to be fixed and track if/when they do get fixed. It’s critical that the IT organization work with security by providing them the data they need to provide better security with minimal impact to the business.

What I present to customers

As I call out in my recent presentation, “Understanding the Measured Risks of Cloud Security”  this attitude of securing with just a firewall isn’t good enough. Also read the blog post “The Palace of Harmonious Virtualization” as well

I want to hear from you!

What I’d love to hear from is customers that ARE using the virtual infrastructure to provide new ways of securing their environments. Reply here or send me an email. I’d love to showcase some of your thoughts as well.