When investigating the security of various products used on-site, in the cloud, or for clouds, I tend to ask the same set of questions. These focus on identity, compliance, logging, and the like. Specifically, I want to know how the product will integrate with security policy and requirements, as well as with other tools and services in use. Unfortunately, not many pass muster even with regard to these basic questions. Because of this, it is time to define why I ask them, why they are needed, and why you need to consider them as you move forward with your own hybrid cloud products.
Security focuses on end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds, the SDDC, and the secure hybrid cloud. Security starts where the cloud and virtual environments begin: the end user computing device. (Read More)
As part of Security, we follow the user through the virtual and cloud stacks until they reach the application they wish to use for retrieving the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application, while maintaining strict control of management interfaces. As such, we explore all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.
Recently, I made two interesting support requests, each to a different company. Both companies asked for the output of many different commands and log files. Both balked once I explained my organization’s security policy. The policy reads simply:
No anonymized data shall be delivered to a 3rd party.
It is a simple statement, but it has a powerful effect on all data being delivered to third parties, even for support. It implies that all user, machine, and service identifiers must be tokenized, encrypted, or outright removed. What must truly remain anonymous within our data? This is not simply a support question, but rather a major issue with all data today. Do we even know what is in our data? Do you?
DDoS happens. It happens quite a bit. It will continue to happen. Information on how to prevent DDoS is readily available, but information on how to survive is missing. DDoS is an outage. Do you have a business continuity plan that covers this sort of outage? Does your business close for the day, or do you keep running in a reduced capacity? Or do you run at full capacity? Do you have multiple approaches to your business? Do you use a variety of services?
Institutional knowledge is leaving companies at a rapid rate. Employees are very mobile, moving between companies fairly rapidly. Just as they learn something important, they are out the door. That knowledge is not always transferred to others staying behind. Here one day, gone the next. How can you explain a business decision, technology decision, or any other decision without information? Architects, developers, and business folks should be writing documents to cover all major decisions, but these happen long after the decisions have been made. We lack the reasons behind the decisions, the original questions asked, and all the work leading up to the decisions. We do not want to lose institutional knowledge. Now, into this breach comes a new set of tools.
In a recent conversation, I was considering the data about data that abounds for any business, organization, or person. A great deal of data is stored and classified as public information. The metadata around that data is becoming increasingly more valuable. Is this data maintained, curated, monitored, and controlled in any fashion? The answer varies among people and organizations. Yet, the real question concerns not the data we know about, but the data we do not know about: the “unknown unknowns.” Is this data a risk to our business, to our family, or to our livelihoods?
The VMworld 2016 conference in Las Vegas, Nevada, gave a great deal of attention to both NSX and security this year. While walking around the Solution Exchange floor, I had the opportunity to stop and talk with Tufin about its Tufin Orchestration Suite, which orchestrates security polices across complex, hybrid cloud, and physical environments.