Update Your Policies!

It is time to update your security, data protection, disaster recovery, and all IT policies and guidance. So much has changed in the last year. Now we need to incorporate it into our IT guidance and policies. Security has changed, data protection has changed, and everything else has changed. The only constant is change. Many decisions made in the past are in need of updates. Many of the issues faced before either no longer exist or have better solutions. There are some very handy cases in point, things that mean you need to reconsider some of your baselines as you move forward. This is not just a data center discussion, but also a cloud discussion: a hybrid cloud discussion.

With VMworld coming up, I will tackle some of the bigger items here first, then move on to clouds and data protection.

VMware vSphere

If you are using VMware vSphere, it behooves you to plan an upgrade to VMware vSphere 6.5 U1. “Why?” you ask. To gain more security benefits, such as:

  • Improved audit logging (we can now know who did what, when, where, and how just from the logs)
  • Encryption (VM, VSAN, use of KMIP to share cryptographic secrets, and secure boot)
  • Improved role-based access control
  • Improved identity management
  • Reduced footprint for management components
  • Improved integration with log analysis tools (3rd party and VMware’s own)
  • Improved APIs for data protection and replication
  • Improvements in high performance or high transaction features
  • Improvements in container integration into vSphere
  • Improvements in monitoring vSphere to include predictive capabilities
  • Did I mention improved logging?

There are quite a few features that make up the new VMware vSphere. Many of them are security related. VMware vSphere is now shipping in a much more secure state than before. VMware has done a ton of work in this area, and that is extremely important. However, to gain most of these benefits, the updates should include moving to the vCenter Server Appliance, which is now based on a minimalistic operating system named Photon. Photon was originally designed to improve boot times of container hosts within vSphere. Many organizations did not want to move to the vCenter Server Appliance. It is time to revisit this decision, among others.

The entire management suite for vSphere has vastly improved, to include predictive and machine learning approaches. Granted, many third-party tools also have now include machine learning and even artificial intelligent capabilities. The new normal is machine learning systems that can detect patterns of changes instead of just changes. We should rethink how we use the various tools as well. There is massive overlap between operations, security, data protection, etc.

Amazon Clouds

Amazon has announced and implemented several very interesting features, enough to start to update guidance as well. Those are:

  • Cloud Trail is enabled by default, and an audit should be performed to ensure it remains that way
  • Amazon Macie for S3 has been introduced to help classify data inside S3
  • Amazon encryption services now include Elastic File System
  • Amazon has introduced a new ETL service to aid in migrating data into Amazon
  • There are also improvements in identity management

Actually, Amazon comes out with security improvements like clockwork. What it is doing now is filling in the gaps in its security offering. Amazon’s people read and listen to everything the security experts say while coming up with their own ways of doing things.

These changes allow you to look at how to better integrate Amazon services across the hybrid cloud. This is definitely a goal for VMware the rest of this year. It should also be our goal. If you are using Amazon services, the gaps are closing.

Data Protection

With the advent of massive ransomware infections, data protection has once more taken the limelight. There are several new concepts coming out of the traditional backup market to aid in alleviating impact of ransomware. Some of the new ideas include:

  • Mandatory access controls for application to file system, or at least backup software to back up repository
  • Improved detection capabilities before backup
  • Implementation of legal hold and quarantining of encrypted data
  • Use of object store with versioned writes as repositories
  • Improved architectures that combine security capabilities with traditional data protection capabilities

The data protection landscape is changing rapidly to account for ransomware. New architectures are being developed as well as point solutions to solve this growing problem. How it will turn out in the end is anyone’s guess at this time. But changes are happening.

Closing Thoughts

Change is happening. It is coming fast, yet there is a common theme. That theme is improving security. It is time to revisit those policies, ideas, and conventions, to weed out the arbitrary decisions and get a better handle on where your organization needs to go. This is a process, but it starts with reviewing your assumptions and making changes to your policies and guidance. With all the new capabilities underlying virtual and cloud environments, how does your organization keep up?

Posted in SDDC & Hybrid Cloud, SecurityTagged , , ,