Perhaps you’ve heard information security being labeled by IT operations or the business with the following words: shrill, hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with the business, immature, perpetually focused on irrelevant technical minutiae…
Almost every information security practitioner I’ve talked to (myself included, by the way), admits to having heard some of these words associated with them. While difficult to hear, it often indicates when information security is not perceived as helping contribute to business goals. Worse, we may be perceived as actively obstructing those goals!
It is becoming clear that virtualization is going to make this problem worse, not better. In fact, one of the most provocative conversation threads on this blog is around the topic of who owns the virtualization security responsibilities. Should it be information security or the VM administrator? Oh, and by the way, won’t the VM administrator quickly disappear as a specialized role? And so forth.
To me, the most telling indicator of the extent of the disconnect is a comment Andrew makes
“Don’t get me started on security…most of them (here at least) are terrified they are going to break ESX by hardening it (and piss off everyone who uses a VM for their services in the process), and they have difficulty understanding that the VMs need to be secured as well (”When ESX is secure, all the VMs will be secure too!!”).
Ah yes. Andrew, you speak truth, brother. It all sounds so familiar, though, doesn’t it?
Andrew points out a very common dynamic between IT operations and information security. Operations impedes security goals by deploying insecure components into production (for instance, an improperly configured VMware ESX server running mission-critical services), or by making production IT infrastructure hard to understand, by operating without information security standards, and by failing to quickly address known security vulnerabilities.
On the other hand, information security impedes IT operations goals by seeming to create endless bureaucracy, giving IT operations man-years of work of “urgent security changes that need to be made,” some which cause catastrophic failures (of which Andrew seems to have been a victim of in the past), getting in the way by taking too long to do security reviews, delaying projects, and so on,
Does virtualization security really this matter? It’s difficult to believe that it won’t: Gartner stated that 60% of virtual servers will be less secure than their physical counterparts, and 30% of virtualized servers will be associated with a security incident.
The good news is that it doesn’t have to be this way, and virtualization is provides a unique opportunity to not only end the disconnect, but maybe even get information security and IT operations to like each other — or at the very least, have a mutually respectful working relationship. But how?
This is the problem that we tackled when I wrote the whitepaper Gene Kim’s Seven Practical Steps To Mitigate The Security Risks of Virtualization. This was based on the years of research that was behind the Visible Ops™ Security Handbook, which I recently co-authored with Paul Love and George Spafford.
Based on 10 years of researching high performing IT operations and security organizations, it connects the dots — you could even call it marriage counseling — on how to link IT security and operational objectives by integrating security controls into IT operational, software development and project management processes.
The seven practical steps are:
- Step 1: Gain Situational Awareness
- Step 2: Reduce and Monitor Privileged Access
- Step 3: Define and Enforce Virtualization Configuration Standards
- Step 4: Integrate and Help Enforce Change Management Processes
- Step 5: Create a Library of Trusted Virtualized Server Builds
- Step 6: Integrate Into Release Management Testing and Acceptance Procedures
- Step 7: Ensure Virtualization Activities Go Through Change Management
By following these steps, information security gains situational awareness of the work that is being done by the IT organization, understand and starts to reduce the information security and IT operational risks around access, configuration and change, and starts adding value by helping IT operations achieve their objectives (e.g., increased uptime, decreased unplanned work and time spent babysitting auditors). And, of course, information security is integrated into the daily IT operational work, and can now effectively start to prevent, quickly detect and recover from security breaches.
And remember to register for the upcoming webinar that security limunary and virtualization expert Mike Poor from Intelguardians and I are giving on July 7, 2008. In the webinar, we will be giving concrete examples of how to complete each one of these seven steps. It will make you laugh, cry, but most importantly, generate some thought and practical actions that you can put into practice immediately to make the virtualized computing environment a little (or a lot) more secure!