Blogger: Eric Maiwald
We are in a time of rapid change – of course this is not news to anyone working in IT. Virtualized environments, cloud computing, software as a service, and mobile workers have changed much of what was normal in the world of IT. If these things haven’t reached you yet, they will soon as the economic downturn forces executives to look for ways to cut costs.
There is one thing that all of these technologies and trends have in common – information or data is moving. Our information is no longer safely locked away in a database on a huge mainframe in a physically secure data center some place. Instead, the information is moving from server to server, data center to data center, and vendor to vendor. Even our own employees are moving information all over the place as they extract information into spreadsheets and store it on local hard drives, USB sticks, and handheld devices. All this mobility is enough to give a security guy the shakes.
Let’s take a quick look at the major new technologies and trends and see what can help:
Virtualization means that applications can be placed on different physical hardware so as to utilize the hardware more efficiently. Specific applications will not live on specific servers any longer. Moving applications around will impact network zoning and other static controls. We can look for security tools that live within the virtual environments but they are only beginning to appear. An alternative is to package some controls with the application (make them a part of the virtual environment that moves with the application). Controls such as host intrusion prevention might help here. Process and procedures may also help. Define risk levels or control requirements for each application and use that criterion as the basis for determining which physical machines are appropriate for different applications.
Cloud computing encompasses a lot of things including hosting services and SaaS (I’ll deal with SaaS in a moment). If servers and applications are hosted at someone else’s data center you may not be able to install all of the network controls that you have at your own data center. So here again, moving the controls into the server (or virtual machine or the part of the application that you control) may alleviate some of the problems. Take for example, web application firewalls (WAFs) – you may not be able to deploy a WAF in front of your servers at a hosting facility. If you need the WAF functions, you might look for vendors offering software solutions that load on to the server rather than residing in a separate appliance. Contracts and SLAs are also important if your enterprise is considering hosting facilities. Make sure you check on what they are really providing and work with your legal department to include the necessary language in your contracts.
Software as a Service
SaaS is sometimes considered part of cloud computing but I wanted to call it out separately as there are some unique aspects to SaaS. The biggest issue is that you will lose all management over technical controls. You will not be in charge of firewalls, IDS/IPS, web filtering, or any other security device on the vendor’s network. At the same time, all of your data will be under the control of the vendor and its employees. So what can you do? There are three big things that can be done. First, before the vendor is chosen and the contract is signed, check out the vendor. Look to see what controls are in place and what control standards the vendor is using. Verify that the controls you’re using are appropriate to protect your data. Second, have a long talk with your legal department and make them aware of the necessary protections and the risks of a breach. See if they can negotiate with the vendor regarding the right to audit the vendor. Third, once the contract is signed, do the follow up. Audit the vendor periodically. Check on what they’re doing to make sure your information is protected.
Employees are working on the road, from home, and from coffee shops. Information is stored on laptops, USB sticks, and handheld computers. You may not even know where the information is actually going as employees may put it on their home machines or personal smartphones. Any of these devices can be lost, stolen, or just given away. For computers and devices that are owned by the enterprise, use proper protection. That means use a VPN, system firewall, and malicious software controls. Try to manage the systems properly so that they are patched and that unnecessary applications are limited. For some devices, you can install a remote erase function that will remove all data if the device or computer does not check in for a certain amount of time (note that this works better on handhelds than on laptops). You can also use encrypting USB sticks that require a password to access the data on the stick (hey even a short password is better than nothing!). If your employees are going to use non-enterprise devices you can set up terminal servers so they can access their desktops (and sensitive information) without having to store too much on the local machine. This also gives you some control over what can be copied to the local machine. When you have employees that need information on non-enterprise machines that will not have reliable network connectivity, you may need to apply controls to the information itself in the form of enterprise rights management.
That was a very quick look at some of the major trends in today’s IT. All of the controls I mentioned need to be considered in the context of the larger IT environment. In other words, do your tradeoffs and identify the risks that you can accept and those that you cannot. Try to mitigate the risks that you can’t accept. Talk to the business. Talk to the other parts of IT as some of the suggestions that I made will have big impacts on networks and servers. You can’t turn back the tide but you can work with it.