Uncategorized

The Secret to Getting Security to Say ‘Yes’

By Richard Rees, Security & Compliance Architect, VMware Professional Services

My post last week about the NSA and hybrid cloud I shared an important equation from the security world: Trust = Visibility + Control. In other words, if I’m going to trust a third party with my data assets, I need to have more visibility to make me comfortable with less control.

Today I want to highlight the different requirements that security, IT, and business have for building trust, and how improved visibility can help all three build a more successful working relationship.

Let’s start with security, the most risk-averse, and a mindset I have the best insight into. We know that business and IT are frustrated when we say no, but they need to understand our thought process. If security says “no,” and something bad happens, we get to say “I told you so.” If we say “no,” and nothing bad happens, we’re still ok. But every time we say “yes” we take a risk on getting burned. And we’ve been burned plenty before.

The business side has completely different requirements for trust. To them, risk is just the cost of doing business. You acquire a company, it doesn’t perform as you expected, you sell it off again. That’s that. Meanwhile, IT is somewhere in the middle, focused on efficiency and service delivery to the business.

When these different risk tolerances are competing (instead of collaborating), new problems arise, like the precipitous growth of “shadow IT” and the security problems it poses.

If security wants to improve its relationship with the business, it will have to find ways to get comfortable saying “yes.” And if you’re a provider or on an IT virtualization team and you want to make headway with the “no mentality” in security, you need to provide the right rules and the tools to make them feel comfortable moving to a new environment. Looking at the “visibility” side of the “visibility + control” equation can help both.

Specifically related to virtual environments, there are two great VMware tools that help provide visibility and security.

  • The distributed firewall inside of VMware NSX puts a firewall between a virtual machine and every other virtual machine in the entire virtual infrastructure. And by allowing them to be centrally managed, it avoids the nightmare of having 50,000 rule sets to manage. Instead, security has one or two rule sets and everything is logged to a central location. This provides greater control, as well as greater visibility; with the internal flow monitor, security has insight into all traffic patterns in the environment.
  • The Service Composer tool in NSX collects all third-party security tools in one pane of glass where the team can manage, control, and apply security in one place. This is tightly linked to the entire virtualization management fabric, giving security teams greater visibility into the entire infrastructure, not just the security pieces.

Improving visibility helps security teams trust third-party IT services. By offering security additional visibility into the virtual environment, internal IT and virtualization teams will quickly find security easier to work with. As these tools help foster a climate of collaboration between security, internal IT and other providers, trust will increase, as will the number of “yeses” from security. And ultimately, that new flexibility will be felt (and seen) by business, helping them to  see IT and security as partners in growth, instead of obstacles to it.


Richard Rees is an architect with the VMware Professional Services security and compliance consulting team, specializing in building secure and compliant virtual environments. Richard also advises clients in creating governance, risk, and compliance frameworks for cloud operations, enabling organizations to entrust and manage data assets and identities, and to prove compliance.