Security problems continue to exist as long as security is seen a separate (IT) issue and as long as corporations think that point solutions are the answer to security. Of course no security can ever be 100% but the risks and costs can (and should) be managed. Surprises happen, but that's part of the business as always.
VMs, new connections, new devices, new users, new racks, new personnel, new applications, new whatever are not (should not be) anything new (heh!). But thinking that a tool or a toy or a policy can alone solve the security problems is so badly flawed today that it is not even funny and (too) often recommended and sold to companies by vendors as the ultimate security solution. And a rule, a regulation, a law or a security standard is just that - a paper before it has been implemented!
The problem with point solutions is that the same problems are solved again and again. It is very expensive, prone to errors and mistakes, makes it possible to forget or for whatever reason to skip some steps, may need new personnel to be trained or hired, definitely makes management and monitoring more complicated and often more expensive, may not work with old infrastructure, and so on - a long list.
The only way out is that security, as any other business function, is planned, designed, managed and controlled, and preferably automated as far as possible throughout the company. Rules have to be broken sometimes but hopefully in security less often than in some other business areas, the risks are just too big.
So, network security (define network?) can not exist alone! It has to be part of the corporate security, planned, designed and executed that way, Then it will come much more flexible, much less costly, easier to follow rules, regulations, laws, standards and policies, etc. Talking about IT it has to belong to the same group as (IT) capacity - be it network, electricity, personnel, premises, disk or cpu, budgets, vendor availability, estimated and real growth in number of users, estimated and real growth in application resource usage, etc capacity, none of those can be solved with any one tool or toy.
ISO 27002 (2700x) combined(!) with business (security and other) requirements offers a nice framework, starting point, checklist, whatever. Many corporations say that they follow whatever standard but in reality concentrate to one or a few aspects and forget the rest. Yes, implementation has a cost and takes time but can be done over time (and budget) - the problem is that the rest is often forgotten when one part is done. And once done, even when the technology or some requirements change, the changes can be done easily and economically and the risks for any problems or unpredicted new costs can be managed much better. Just a normal business practice!
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
How to address some of these VM security concerns
Access control and auditing in the virtual environment is much the same as in the physical environment. First, the logging requirements and solutions are very similar. Second, if you have VM's that require different levels of physical access control then you need to have physically separate VM server farms to address this.
"And many say VM software out of the box won't suffice for security". That's true for just about every complex piece of software in the corporate environment - you need to lock it down to your companies specifications and there are many tools (some free) to help you do this with VMware's products.
"VMware's VirtualCenter management won't prevent VM sprawl because VM ID numbers can be changed and re-set" If your company doesn't manage server sprawl well in the physical environment then don't expect it to get better in the virtual world. Fortunately the same discipline and many of the same procedures apply to the virtual server world to limit sprawl. It would be nice to guarantee an ID to each VM, but then again we had the same issue tagging physical servers...
As for Netflow, I would love to see that functionality programmed into virtual switches. However, with many VMware farms (but not all) the network traffic eventually hits the physical network and that's where you do the network statistic gathering. Otherwise you need to use software agents on the VM's to get network stats which is not ideal.
6 Burnt questions
These questions are so far removed from practical network management as to be worthless. Though part of the networking landscape, I hardly think that anyone is left pondering the significance of VM, MS, AC or anything else beyond just trying to do the basics.
Everyone is so focused on technology silos that they don't know how to manage the network. The geeks just want their technology merit badges so they can increase their market value. "I know VM Ware and SonicWall..." as part of their credentialization. Knowing how to set-up and configure a particular product is a good foundation but doesn't necessarily translate into a well-run network that actually delivers bottom-line results.
The 6 burners I'd like to see people answer are:
Is your network actually producing a business ROI?
Have you overspent on IT security?
Do you know what's happening on the network?
How do you verify everything is working ok?
When was the last time you checked?
If the CEO asked for a complete status report and you were in the midst of 2 projects and daily helpdesk calls, could you do produce one in a week?
Solution for multi-user system locking and accountability
We have been using generic accounts as long as I can remember. Life became more difficult when HIPAA required us to automatically lock systems. Systems were left locked and admins were constantly being called to unlock them.
To get around the issue of shared accounts we have begun using a product called "Unlock Administrator" http://www.e-motional.com/ULAdmin.htm. Once the system is logged into using a generic username and password it is locked in the standard Windows fashion and the system is set to lock when the screensaver is activated as well.
This program allows you to select which users are able to unlock the system using their own Windows domain credentials. A log of when the system is locked and when and by whom it is unlocked is kept in a protected file as well as a Windows Event. Users don't have read or write access to this file. This way we have complete knowledge of who used the account and when. Everyone uses their own password and no password needs to be shared.
This is also useful at nursing stations that are often left locked (as per HIPAA requirements) but abandoned. With this program any selected user (not necessarily an admin) can unlock the system.
Hope someone else finds this useful as well.
Post new comment