The importance of scalable, efficient security processes
The business world is getting faster and time to react is
being reduced significantly. The days where Information Security could depend
on processes that weren’t efficient or customer focused are gone, as the
business won’t wait to capture an important business opportunity.
An example of this is the expanded use of Virtual Machine
technologies such as VMWare, XEN, etc. This technology allows the business to
deploy new capabilities in a way that was unheard of 5-10 years ago. Your
partners in IT no longer have to wait for the purchase order to make it through
finance, wait for the vendor to ship
hardware or racking in the data center before deploying new IT capabilities.
Here are some ways the virtual machine example is impacting
security. Bottom line -- inefficient and
disconnected security processes are no longer adequate:
Deployment - A VM instance can now simply be deployed with
the press of a button on demand. Security Impact: Expecting to hear about new
systems through the grapevine or via an antiquated process involving paperwork
is no longer a sufficient way to maintain accurate situational awareness. You must
have integration, trust, and agile security review processes in place to
respond to the highly accelerated deployment cycles we now face.
Replication – VMs
can be replicated to many places in a short period of time using a single gold
image(s). Security Impact: If you
haven’t assessed the gold image for vulnerabilities and hardened it
appropriately, a small problem can grow into a very large one, even with a
moderate sized (100 images) deployment. It’s hard enough to try to harden
systems when one is in production, trying to change a 100 will take a
significant amount of your finite resources.
No barriers to entry
– VMs are wonderful in that you can run them on any hardware. Security Impact: This
means that your users can create a limited time VM that meets their needs and
then remove it before any of your detective controls can discover it. While
creativity is a great thing, helping users understand how to safely deploy
these is an important part of your security program.
Limited availability
- you can have the VM on demand as well as for as short a time as needed. Security
Impact: It is now economical to have an application in production for short
periods of time to meet business needs. This also means that a production
application can be put in place before you ever find out about it, putting the
organizations information at risk.
Wile this is not nearly all the risks associated with this
one technology, the above listed are examples of why Information Security must
integrate into the business. Heavy handed techniques will only alienate your
internal customers. Integration ensures
your corporate objectives of protecting information is met. If you make it hard
to do business with your customers, they will simply go around you, therefore
your processes must be efficient, easy and valuable. When you create an easy to
use process, Information Security becomes second nature to your customers. What
are your thoughts?