AUTHOR: Blair Hicks
When my daughter was eight, she promised that she wouldn’t date boys until she was 30. Now my daughter is 15, and it turns out that I didn’t have as much time as I’d hoped. If you are a parent, you can probably appreciate how I feel. We all want our children to be safe and there is no safer place for them to be than at home. But the reality is that our children have to venture out into the real world if they are to ever grow into productive members of society.
By the same token, I agree that there is no safer place for my company’s information assets than in a Tier 4 secure data center with complete air gap isolation. However, the reality is that my data has to be accessible in order for my business to operate. If your job is to secure my data assets, you may have thought you had 15 more years before you had to worry about securing that data in a virtualized data center—I’m here to tell you that you don’t.
I have defined “Eight Simple Rules for Protecting My Corporate Data Assets,” which I’d like to share with you. Follow these, and we might just get through the next few years:
1. Firewall rule changes should not delay my time to market.
- I appreciate that my expanding business is introducing all sorts of complexity into the security environment. That expanding business is also how I can pay for all those firewalls. Bottom line—when my team requests a new service, that service should be delivered rapidly and fully operational—inclusive of any firewall rule changes needed to support the requested service.
2. Changes to another department’s or another tenant’s firewall rules should not impact my business.
- If your firewall strategy relies on periodic maintenance windows to implement changes, then there are two major problems. First, business opportunities don’t wait for maintenance windows. Second, establishing a maintenance window presumes that the change poses a risk to existing services. The business demands driving the adoption of cloud technology necessitate dynamic changes that can be performed without disruption of existing services in a global 24×7 environment.
3. Make sure my information is secure following infrastructure changes.
- Infrastructure components are leveraged to meet dynamically changing application requirements. Information security policies cannot be contingent on specific infrastructure components. Subsequently, infrastructure changes such as migration to a different server, data store, or even datacenter must not expose the application to additional risk. Requisite protections must remain in place.
4. Make sure my information is available following infrastructure changes.
- In addition to continuing to protect the information following an infrastructure change, the security policy must also permit authorized access to the application immediately after a server or datacenter change. As the infrastructure components can change dynamically, security appliances should be intelligent enough to align to the new structure dynamically as well. Balancing availability and security in the face of changing infrastructure is a challenge, but necessary in the modern business environment.
5. Don’t tell me that the safety of the business data depends on your employees.
- You know the certain type of employee – he likes to purchase his consumer electronics in the mall, he is occasionally forgetful as he passes through airport security, and he’s clicked on a few links in unsolicited email messages. However, this employee generates a great deal of revenue for my business – I need he/she to continue to focus on growing my business and serving my clients. You need to make sure that your data protection standards cannot be thwarted by their actions – or by the actions of an employee whose motivation may be less honorable.
6. When a breach does occur, provide me with the forensic data I need to fully assess the problem.
- Securely Hardened Information Transgression happens – that is to say that breaches happen, no matter how many preventative measures are put in place. When it does, the viability of my business depends on being able to immediately assess the nature of the breach, identify the causes, and initiate steps to remediate the damage. A complete audit trail of all actions must be maintained along with the ability to deliver verified reports for management, clients, and law enforcement.
7. Make it simple for my employees to be productive wherever they work.
- My business operates in a global 24×7 environment – I want to leverage the best talent and most productive work effort whenever and wherever it occurs. Security policies should enable employees to access my corporate data assets from a range of location and devices. Unless a negotiated security policy prohibits access to data outside an accredited facility, construct tools that permit authenticated access from a diverse range of locations and devices.
8. If leveraging cloud infrastructure is going to open up new business opportunities and help my bottom line, then I am going to leverage it.
- Regardless of whether your title is an information security officer or security engineer, if you work for me, your job is to grow my business. I depend on my security experts to chart a safe course, but our destination is fixed. If security restrictions are too cumbersome, motivated and well-meaning employees will find a way to circumvent them. Listen to what my developers, DBAs, and systems engineers are requesting and find a way to accommodate them. Decisions regarding my company’s data assets are business decisions – those decisions must be made with regard to my company’s mission, reputation, and bottom line.
If you are a managing a business, then you can appreciate the challenge of keeping your data secure while at the same time leveraging that data to drive your business. Your data has to be protected – that requirement never changed. The challenge is in protecting your data in today’s environment. At VMware, we understand that challenge – and that it’s not about trading accessibility for security. It’s about improving both security and accessibility in ways never before possible. VMware’s Accelerate Advisory Services can help clarify the business opportunities associated with a virtualized data center environment, and we can work with your security teams to extend their ability to protect your data. Visit our Web site to learn more about our offerings, or reach out to us today at: email@example.com for more information.
As for help with boys dating your daughter, like all parents, you’re going to have to work that out on your own…
Want to continue the conversation with your C-level executive peers? Join our exclusive CxO Corner Facebook page for access to hundreds of verified CxOs sharing ideas around IT Transformation right now by going to CxO Corner and clicking “ask to join group.”