Author: Alex Salicrup
The Fifth Estate hits theaters October 18, and with it a reminder of the corporate and government secrets exposed when WikiLeaks founder Julian Assange obtained breached classified data and released it to the world.
Assange and WikiLeaks, as we know, gained access to classified documents through US Army Private Bradley Manning, an intelligence analyst who was recently sentenced for espionage. In addition to this breach, there was Edward Snowden, the contractor for the National Security Agency (NSA) who outed the organization’s telecommunications monitoring programs. — See related by Richard Rees on the VMware Consulting blog: The Snowden Leak: A Windfall for Hybrid Cloud?
In the 80s and 90s the spy scandals centered on individuals passing secrets to enemies of the state, like Aldrich Ames and Richard Hanssen, government employees who sold sensitive information to Russia for big bucks.
These days data breaches are more likely to be driven by a cause than cash. Widely described as hacktivism, breaches and malware attacks are made against corporations—not just governments—often by organizations that see themselves as the arbiters of online justice (like Anonymous). Two-thirds of all data breaches last year were made by installing malware on corporate systems. Almost all breaches were made from external sources.
Since its breach, the NSA, which already had plans to build a private cloud, has accelerated its implementation, largely because it sees automation as a key to eliminating the need for contractors like Snowden. In my experience, this is a good start, but only when it is followed by security policies focused on data classification rather than per application or system.
One of the advantages I see to software-defined networking is that it allows better visibility into where data, platforms, and infrastructure reside as part of the larger virtual infrastructure. The closer to a software-defined data center a corporation gets, the more control and visibility it has over its data security.
I was recently part of a deployment where the client designed innovative ways to classify and secure data, making it harder to breach, easier to monitor, and mostly automated. That’s a scalable solution that delivers enhanced security of precious data.
End-user computing (EUC) is another area where the right strategy needs to safeguard data accessible from devices that can potentially be accessed by someone besides the intended user. In my experience, if a company does not employ a comprehensive EUC solution, staff members will eventually bypass data security policies in order to have access data on their mobile devices.
Organizations will do well to start an internal assessment of how well-positioned they are to manage their data securely in the age of hactivism. Are there opportunities to enhance data security using virtual infrastructure and software-defined networking? Which is more cost effective and efficient? How much would a breach potentially cost? Is your organization capable of managing the infrastructure needed to support virtualization and EUC initiatives?
Let’s face it: No one expects to have their data breached. And yet, the majority of US corporations are victims to it every year. Why risk being one of them?
=====
Alex Salicrup is a business solutions architect for VMware Accelerate Advisory Services.
