VMworld 2011 - 101 for Newbies
Size Matters - Micro Clouds and Engineered Systems

VMworld 2011 - Practice Makes Perfect (Security)

During the VMworld2011 conference, the theme of security came up very strongly. Indeed, there were many parallels to the RSA Conference 2011 in Feb/2011 that echoed concerns about "putting all your eggs in one basket".

Many solutions were presented, new innovations from VMware in the form of the vShield family and vertical integration into the RSA enVision tools. However, tools are good, but there are few substitutes for common sense and training.

Within all the sessions, I did not really see anything indicating how indepth Cloud security was to be achieved. Security certifications are mainly focused at awareness of issues pertaining to this theme and some level of descriptive and prescriptive actioning that can be performed within a framework.

Taking an metaphor linked to security, namely defending a country, there are parallels that can be drawn. Typically an army of some sort (SecOps - Security Operations) incorporates the capabilities of the security force, a command and control center for operations (SOC - Security Operations Center).

The army receives training both general and specific for particular engagement types (Security awareness training, Security tool training, System administration tasks such as patching, general awareness of threat levels around the world in cybersecurity terms). The army stays fit and in shape to respond should they be called into action. The army is distributed to ensure response in the correct measure and correct location (layered security distributed throughout a Cloud environment).

Lastly, to keep things short, there are mock trials and joint manoeuvres taking place to keep the training sharp and realistic, to ensure a coordinated knowledgeable response to said threat. This can be done with partners that share a similar set of goals, such as NATO. This is the bit that seems to be missing.

 

What does this all Mean for Virtualization and the Cloud?

In most client engagements I see, there is a lot of talk about security, security tools and so forth, but very little actual practice or manoeuvres that take place. It is necessary that teams responsible for safeguarding an environment have the means and regular practice to engage countermeasures in documented plans at speed into action.
If those plans are automated, then they can be triggered through corresponding events automatically but the knowledge to trigger by hand should also be present and tested regularly.

In speaking with some clients on the floor at VMworld, I raised the idea and it seemed to generate a favourable response. Clients and would-be users of cloud technologies are clamouring for safety, and seek to assuage their fears through buying the next great security software that claims nothing needs to be done, apart from issuing a purchase order!

Let's face it, something does need to be done. Tools do need to be acquired - but as part of an Enterprise Security Architecture (ESA) focused on ensuring all IT supporting the business is safe by design, and kept safe through regular threat update measures.

Regular drills are carried out to ensure that the security controls are in place, and mitigation controls can be called for in extreme situations. In the most extreme cases it is necessary to completely cut off outside connectivity while the threat is forensically investigated and stopped!

To be fair, the number of organisations that actually perform PEN (penetration) testing has really increased. However, that is a means to validate the efficacy of the control measures already in operation or determine what is missing.

I would advocate processes and organisational structures implemented within a Cloud enabled organisation enabling testing and simulation of attacks (mock war games) that allow each and every SecAdmin to be able to block/thwart attacks. Further, tracking attacks to source and procedures for rapidly alerting cyber-authorities & ISPs ensuring damage is minimized and threat reduction measures engaged on a broader scale.

 

Why is this important for the CIO/CSO?

The CIO/CSO have responsibilities to ensure that controls are in place and that those controls can be verified and are ready for inspection from regulatory authorities (including the internal audit & security groups).
In terms of budgeting and ensuring the security of your Private Cloud is as users expect, a cyber-war footing needs to be maintained. This internal Cyber-army should be equipped and trained to ensure security of all assets including the brand value of the company that may be at risk from exposure or data leakage.
Globalization lends an extra lever to ensure this type of rigorous security is in place. The measures should be built-in to the Cloud infrastructure, as well as work in layers around the Private Cloud. SecAdmins should be working with SysAdmins, but there does need to be a clear separation of duties and associated duties.
The Cxx agenda needs to include Cyber Security at Cloud scales into their plans to engender an IT ecosystem where business can thrive. The brand value such initiatives provide enable a sustained competitive advantage to accrue. An Enterprise Security Architecture should be in place with security groups actively taking a role to supporting agility and speed to market - but with safety and with confidence!

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

data center service

i have been in search of this information great work posting this

Security Guard Training

Great info. Kudos for sharing!

Jas Dhalliwal

Sorry folks, had missed these comments. Most welcome - and great thing is - still valid even in 2012;-)

The comments to this entry are closed.