common denial

On my third week at VMware I was asked to participate in a vCloud Automation Center (vCAC) demo beta run. This means that before the SE’s are asked to demo vCAC, I got to test the videos, test questions, and demo the product. I personally had never touched vCAC before. To be honest, I had not even seen it. We talked about it a lot on the EMC vSpecialist team but it just wasn’t a priority for me. For the last couple of days… it was all I knew. And I love it… I love it because of it’s security play. I love it because it solves security problems.
I believe that vCAC is one of the ways of putting the “yes” back into innovation versus the “no” that always seems to come out of security people. Innovation is thwarted because we feel like systems are out of our control and when they are, we don’t know what they are doing. We have to ask the network team to give us insight. Now, with vCAC we get the security back because we (the security people) can establish governance and control and sometimes this can bring security.
Governance in itself provides control but by including the ability to require approval, having separation of duties, limiting actions on individual and multi-machine systems, you gain even more control. You have the ability to implement your corporate and IT policies within vCAC and that is superior. The pain with security in the IT realm… yes, in IT, not in the security department is that they don’t want us in there. They feel like we are smothering them. With vCAC, we can take some of that pain away. We now have the ability to work together to develop the right systems to be utilized.
Just one… one of the many examples are the security attributes added to the machines. These actions can be defined on an individual basis. The screen shot below identifies some of the operations available that can be run on the virtual blueprint. As you can see it gives a lot of options and takes away a lot of options.

Now some may think that those options are just plain security and I get that. Truly I do, but this isn’t RBAC, these are operations you can take against the virtual machine. This goes deeper, making the virtual machine(s) the “identity”. You can’t avoid the governance and the control. You can’t ignore the fact that I can provide a limited or great amount of systems, that I have “blessed”, to specific groups of people and allow them to request it themselves. If they want to make the CPU, memory, and/or storage changes, I can provide that. If I want the requests to be approved, I can provide that. If I want to reclaim those machines, I can do that. I feel from a security viewpoint, vCAC can do so much more than people give it credit for. This is how we start bridging the gap between IT and security, this is how we bring them together.