Virtualization is great. I have seen massive savings in cost; power consumption; CO2 output; reduction in software licenses; and many other advantages. Beyond the challenge of bringing these technologies online I have found numerous areas of oversight and weakness. The first is related to the blending of critical and non-critical systems, and the second is how system owners represent virtual systems with regards to IT compliance and controls.
A common mistake I find is the following: Critical and Non-Critical systems are loaded on the same ESX (or other) server and allow these hosts to share the resources of the same server. There is the possibility that an attack or activity on a non-critical host can affect the critical asset. This is due to configuration errors and oversight during deployment. I know this from several first hand experiences.
A second concern beyond the likelihood of one virtual host absorbing the resources of another virtual host is the fact that non-critical systems are given less priority on patches, security, funding, and subject to controls and procedures. The end-result is that hosting critical and non-critical virtual hosts on the same platform requires either a business acceptance of expanding the scope of security integrity safeguards, or a meaningful categorization and segmentation of these types of systems apart from each other.
A further posting will focus on my concern on how system operators are representing their virtual environments and the massive threats these actions are leading us to larger problems.
Best,
James DeLuccia IV
Categories: Compliance
Tagged: IT Controls, pci, virtualization
Inspired by “How Anonymous Do Businesses Need to be?“
I recently had the opportunity to lend my thoughts around this topic and was included in the article. The article is here by Lora Bentley, who writes some interesting articles and I highly recommend reviewing her prior work. Below is her question and my response:
“…when and why companies (as opposed to individuals) use such technology as that provided by Tor or Anonymizer and…whether businesses find such tools to be valuable.”
My Response:
The use of such technologies, bleeding edge on concept and application, have proven themselves over and over again. Consider the use of bitTorrent – where some companies are using distributed files to load patches across tens of thousands of systems with a small impact to the network vs. a standard Microsoft patch system. Also, there is the example of firms leveraging P2P for video transmissions within a Fortune 50 company to push training and corporate messages around the globe.
The use of such tools provide a level of security and are very valuable to organizations that deal in research and highly competitive industries. For instance, in the manufacturing space (a former life) we had the research, design, and test systems walled off with concrete and had strict access control rules. Today the public internet is heavily leveraged and end-users (researchers) operate around the world in some unsafe (Coffee shops, and certain Nations) networks where eavesdropping and monitoring are highly likely. The simple observation of an employee’s Google searches and frequent websites would be enough for corporate espionage specialists. In addition the usage of such privacy approaches is valuable for corporate research where the end-point servers are recording who/what are visiting, and this further eliminates an available avenue of information.
In the end, the usage of leading technologies within corporations will occur. The usage of Tor and Anonymizer (examples of only a few in this arena) provide exceptional safeguards for research and market testing facilities not widely available today.
Now writers do not have a lot of space and must keep a topic concise and digestible; however, I do feel like my response deserves a bit more expansion to ensure I am clearly understood, so I have provided it here for all to comment, question, challenge, and such.
What other technologies fit this category? How do we handle these around IT controls and within the PCI DSS space?
Best,
James DeLuccia IV
Categories: IT Controls · PCI DSS
