Monthly Archives: March 2011

March 30, 2011

Security… It is Not what you do… It is How you do IT

By erinkbanks

You know that alarm system you bought? How often do you turn it on? How often do you check to see if it is working? Do you think about your habits and whether having them makes you more at risk? For instance, do you close the garage door before you open your house door, ensuring that no one runs under the garage door and into the house? When you enter in the code on your alarm system, can someone see it from the windows? Do you pay for the alarm company to monitor your system? How often do you change the code? Yes, just putting up the signs in your windows or front lawn deter people, it isn’t a guarantee.  Yes, buying the system is a big step but leaving it on the shelf does not do you any good. Stick with me here…

Recently I tweeted the comment that “security was better in a virtual world than a physical world”. I am a true believer in this statement and will continue to share the thought in my presentations and blog. The “push back” I received was not that the statement was incorrect but I used the incorrect words. This is exactly why I am not a huge fan of Twitter. It is hard for me to have a discussion about anything in 140 character bursts ala Twitter. I tweet thoughts and retweet other’s thoughts but having a discussion I can not. I certainly understand Twitter’s role in the industry and I certainly have not learned the correct process for it and have been corrected multiple times.  Live and learn right?

What I love about security is the fact that security should always be based around a discussion. Security is NOT about products. Security is about implementation and how it is implemented. For instance, you can have a secure environment with one product… a door lock. Put the server in a locked room that only has access by one person and you never put the server on the network. Now this might be idiotic but there are use cases around it. Every security discussion requires a use case and an understanding as to what risk the customer is willing to take and then a solution is built around this. But a solution does not work unless it is implemented (correctly) and continuously monitored. If you put it in place and then just leave it assuming it is just going to work… you are crazy. Security is a daily… hourly… minute… second by second responsibility and if you take your eye off of it for just a moment, you will lose sight of why you implemented it in the first place. Security is nothing without the correct policies in place.. without defense in depth. If you do not understand the infrastructure, if you don’t know the business you are trying to protect, there is nothing that can save you.

In the long run, security isn’t better in any world unless it is implemented correctly and is constantly rechecked to ensure the implementation is doing its job. There are new viruses, new attacks, new technologies, new everything on a daily basis and in a security world, you need to keep up with it. Now I still believe that security in a virtual world is better than a physical world and luckily I had already had this discussion with the customers on the day that I sent the tweet. The customers knew why I made a comment like that but to the average citizen, they may assume that they can set it and forget it but security is nothing like that. There is a language to security and a dialog that is much longer then twitter… That is why I started this blog.

4 comments   |  tags: , | posted in security

March 11, 2011

How Can You Trust the Cloud : Triangle of Trust

By erinkbanks

My friend and fellow vSpecialist Sharon Isaacson and I were preparing for some technical presentations and sessions that were coming up. The sessions were based on the VCE Trusted Multi-Tenant document and how RSA can secure virtual environments as well as the Vblock. We weren’t big on going in there and throwing products at them. We wanted to talk about security, find out how they defined multi-tenancy, and then work with them to see how the products fit into their need. The goal is to talk about security and as I stated in previous posts, it is about trust. Sharon had this great relational understanding regarding trust. I don’t know where she got it from or when she developed it but I told her I was stealing it, using it, and writing a blog post on it.

I coined it the “Triangle of Trust”. Sure when talking about security we use the terms risk and trust. We want to reduce risk and increase trust. But how do you do this? Through policies / procedures and visibility…  that is how you create trust. And of course this trust needs to be established across the entire stack of administrators and tenants. The tenants need to understand that their SLA is being met and the administrators need to easily prove the SLA is being put in place. Service providers need to prove that their policies are complying with the customers needs and wants and that the customers/tenants are getting what they paid for. You don’t want to wait until the last minute, until a disaster has happened to prove that they didn’t do what you asked them to. That is a high risk situation and you might as well not do anything at all. Putting 100% faith into a service provider without any visibility is just crazy. You need the insurance policy.

Policies are what define everything in the infrastructure. Whether it is a policy to define the length and complexity of the password or the fact that the PCI DSS data needs to be encrypted and kept for a specific period of time. Nothing occurs without implementing a policy and proving that it has been done. Once you can prove that, trust is established. Think about this scenario in the real world. You create policies with your children, such as they need to be home at 11:00 pm on a friday night. You need to have visibility that this policy is being met by making sure they stop by your room when they get home. This in turn creates more trust. If you don’t see them at 11:00 pm, how can you be sure they really were there when they said they were.

Trust is essential in every relationship whether business or personal. Trusting in your service provider when they are dealing with your information is even more important. You aren’t leaving your child with a day care provider if you don’t trust them. Why leave your data to a provider if you don’t trust that they are protecting your information. How do they secure the data… with policies… and how are these policies verified…  with visibility into their physical and virtual infrastructure. You can’t have trust without the policies and visibility.. you can’t have visibility unless policies are put in place and a trust relationship is established. Last but not least, policies are nothing with the trust in the infrastructure and the ability to see them.  You get it…  it is a triangle of trust…  everything is based on the trust…the trust in the cloud

2 comments   |  tags: , | posted in cloud security

Follow

Get every new post delivered to your Inbox.