You are in: Articles / Smart Setups / Virtualization / Restless data: Diffusion via virtualization

Restless data: Diffusion via virtualization

(Tom Olzak, IT Security) Before virtualization, keeping track of servers popping up in the data center was pretty easy.  There was significant effort to bring up the hardware, and everyone followed the traditional change management process–which included a security review.  This approach helped keep sensitive data within the limits of reasonable and appropriate security–due in large part to the work involved in creating additional data environments.  But with virtualization, data begins to get restless.  And this restlessness causes information to move beyond the confines of solid security controls.

I’m not opposed to virtualization.  I think it is a great addition to the IT toolkit, a way to quickly react to business need while improving business continuity capabilities.  However, we have to adapt our controls and processes to accommodate both the new functionality as well as the temptations of this new technology, including what I call “diffusion via virtualization.” [...]

Diffusion is not inherently “bad”
Creating subsets of information for reporting purposes is a good idea.  It allows business users to create their own reports, looking at data from multiple perspectives, without having to call the IS department every five minutes.  This is a good thing.  So creating “pockets of data” is not inherently evil or bad.  It does, however, come with a list of challenges, including:

   1. If the implementation teams don’t see security as protection of data rather than access to systems, they won’t typically worry about standing up a new database server with all or a subset of the contents of a production database without a security assessment or audit review.
   2. As data proliferates, diffuses throughout the data center, it begins to fall below the “radar” of security assessments, vulnerability scans, and compliance audits.  This set of conditions can create pockets of sensitive information which are much easier to attack than the original hardened production systems.
   3. Principles of least privilege and need to know are sacrificed as new database servers are, after all, read only.  What’s the harm…?

The first step in dealing with uncontrolled diffusion is a conversation with the implementation teams.  If they don’t understand that data protection is the central theme of information security, maybe the message was not clearly communicated.

Once they understand it’s about the data, not the systems, a review of existing processes and policies is in order.  The review process must involve collaboration by all technical teams and a clear, common understanding of steps to ensure data is protected, no matter where it might end up.

Rating: 12345
Leave a comment

Note: all fields marked with (*) are required
Comments (0)
Close send to email window

Verification code

Already a member?
Blacklist monitoring alerts
sign up Signup for our real-time monitoring service and receive email notifications each time one of your IPs gets blacklisted.
Free Signup
Mail Server Operating System Poll

What OS do you use for your email server?
disabled next

How many mailboxes do you currently manage?
previous next

Would you like to comment upon the choosing of this particular OS?

DNS Tools
Get IP status, owner and location, obtain its corresponding hostname or check specific ports.
Ping Statistics
Reverse DNS Lookup
Whois Info (IP owner)
GeoIP Information
Check Port
Open Relay Test
Test if your mail server is an open relay for spammers.
Blacklist Checker
Check if your IP is listed in DNS based email blacklists (DNSBL)