You know that alarm system you bought? How often do you turn it on? How often do you check to see if it is working? Do you think about your habits and whether having them makes you more at risk? For instance, do you close the garage door before you open your house door, ensuring that no one runs under the garage door and into the house? When you enter in the code on your alarm system, can someone see it from the windows? Do you pay for the alarm company to monitor your system? How often do you change the code? Yes, just putting up the signs in your windows or front lawn deter people, it isn’t a guarantee. Yes, buying the system is a big step but leaving it on the shelf does not do you any good. Stick with me here…
Recently I tweeted the comment that “security was better in a virtual world than a physical world”. I am a true believer in this statement and will continue to share the thought in my presentations and blog. The “push back” I received was not that the statement was incorrect but I used the incorrect words. This is exactly why I am not a huge fan of Twitter. It is hard for me to have a discussion about anything in 140 character bursts ala Twitter. I tweet thoughts and retweet other’s thoughts but having a discussion I can not. I certainly understand Twitter’s role in the industry and I certainly have not learned the correct process for it and have been corrected multiple times. Live and learn right?
What I love about security is the fact that security should always be based around a discussion. Security is NOT about products. Security is about implementation and how it is implemented. For instance, you can have a secure environment with one product… a door lock. Put the server in a locked room that only has access by one person and you never put the server on the network. Now this might be idiotic but there are use cases around it. Every security discussion requires a use case and an understanding as to what risk the customer is willing to take and then a solution is built around this. But a solution does not work unless it is implemented (correctly) and continuously monitored. If you put it in place and then just leave it assuming it is just going to work… you are crazy. Security is a daily… hourly… minute… second by second responsibility and if you take your eye off of it for just a moment, you will lose sight of why you implemented it in the first place. Security is nothing without the correct policies in place.. without defense in depth. If you do not understand the infrastructure, if you don’t know the business you are trying to protect, there is nothing that can save you.
In the long run, security isn’t better in any world unless it is implemented correctly and is constantly rechecked to ensure the implementation is doing its job. There are new viruses, new attacks, new technologies, new everything on a daily basis and in a security world, you need to keep up with it. Now I still believe that security in a virtual world is better than a physical world and luckily I had already had this discussion with the customers on the day that I sent the tweet. The customers knew why I made a comment like that but to the average citizen, they may assume that they can set it and forget it but security is nothing like that. There is a language to security and a dialog that is much longer then twitter… That is why I started this blog.
#1 by Justin Lute on March 30, 2011 - 09:45
Perhaps a better phrasing of the statement is that virtualization presents an opportunity for better (and easier) security?
So, assuming a diligent, mature security program is in place… Precisely what about virtualization makes it a better platform for effective security?
#2 by erinkbanks on March 30, 2011 - 10:47
there are multiple ways to say the same thing and I believe a lot is based on what conversations you have already had but i get “hit” alot for saying it is easier. People don’t think it is easy but only because I feel that people don’t get it… or as I was told via Twitter… people are lazy. That is what worries me most.
Not sure I agree with the phrasing Mature security program… not sure how to define that. Maybe it is me, I think there are a lot of great capabilities being built just for virtualization. When you look at the security products designed for a physical world and you look at the products designed for now, it is like night and day. I think that is to be expected though. I love what Intel is doing (yes, can be used in both worlds) and the vShield capabilities and Hytrust. But I am going back to products…
I feel the discussion needs to stay outside of the products and convincing people not to be lazy. I think that having a virtualization discussion will show how the environment can be secure within itself and security does include DR, HA
#3 by oldmanaround on March 30, 2011 - 14:31
I meant “mature” purely as a qualifier along with “diligent,” to get past the precursor discussion about how you still have to be smart and you have to try. Assuming an organization is already smart and trying and already understand that they’ll have to continue to be smart and continue to try to secure a virtualized environment, too. What, then, are the real specifics to tell them about what’s better/easier (and without talking product?)
#4 by erinkbanks on March 30, 2011 - 14:51
Some of the capabilities inherent to virtualization is the DOS attack recovery, the ability to apply policies to virtual machines and have those policies stay with the VM no matter where it is moved, the ability to create machines based off of an approved template in a timely fashion… all of these capabilities are a part of the virtualization ROI and play nicely in the security world. I feel the faster that you can provide a secure environment for others to work, the more likely they are to not build the environment on their own. Of course, my favorite… VIRTUAL DESKTOPS… that is my security dream come true (and a future blog post)