Mike Foley is a Senior Technical Marketing Manager at VMware.
Securing your virtual environment is a constantly evolving challenge with changing variables. Checkbox security, a strategy that focuses on compliance, does not make your environment secure. It is a strategy of complacency leading to eventual failure. A comprehensive risk strategy tackles compliance and security and can be achieved through governance automation.
Some may argue that if your environment is fully compliant with a stringent regulatory standard (PCI for example, as this is a particularly wide-reaching compliance standard), then your environment is “secure”. The assumption is that meeting a standard means that you have shored up any security vulnerabilities. This can be a fatal assumption. Compliance with a particular standard, be it FISMA, HIPAA, SOX or the aforementioned PCI, simply means that you are in alignment with a set of externally defined criteria with the ultimate goal of protecting sensitive customer or user data.
While there is an extra level of complexity that must be taken into account with dynamic virtual infrastructures, there are tools that can ensure compliance even in a virtual environment. As the nature of compliance mandates is being standardized and well defined, a “checkbox” approach to compliance does make sense.
That being said, while there are tools that provide the appropriate checks and audits needed to verify and maintain compliance, they often do not address actual security challenges or vulnerabilities. Compliance provides safeguards for specific types of security risks such as accessing credit card or health record data. Securing your virtual environment is a more fluid task that requires vigilance against both external and internal threats such as breaches, misconfiguration, access control changes, authentication and more.
A checkbox security approach breaks down in this scenario – there are simply too many variables outside the scope of compliance-focused toolsets to ensure the security of your environment. A checkbox security approach that relies on your compliance policies is, simply put, vulnerable. Being compliant does not mean your environment is secure; and conversely, just because your environment is secure does not mean it’s compliant.
Governance automation can go a long way in satisfying compliance requirements while also enforcing security policies to protect against internal and external threats. In a virtual or cloud-based (public, private or hybrid) environment with constantly shifting and distributed resources and possibly shared services, automated governance tooling is indispensable for implementing a comprehensive risk strategy at scale, no matter the size of your organization. A good governance solution will ensure that security tasks, such as identity and access management for personnel, are executed. Other tasks can be automated, including provisioning, authentication and authorization as well as more organization specific, granular security processes. Governance automation can not only deliver key elements of good data stewardship such as secure access, encryption and loss prevention, but recognize vulnerabilities, perform remediation and ensure audit readiness. These benefits of governance automation do not even take into account the additional benefits provided in a virtual or cloud environment, such as overall cost controls and the increased speed of business processes.
It’s an all too common downside of the “checkbox security” approach that you don’t actually get the security you’re looking for. This problem is exacerbated in a virtual or cloud environment where flexibility and scale opens up a whole Pandora’s box of additional checks and processes that will impact the productivity and security of a limited toolset – especially if data is compromised or vulnerability attacked.
Governance automation provides controls for regulatory compliance and data protection while incorporating security policies to address vulnerabilities, protecting enterprises from both internal and external threats and eliminating the inadequacies of checkbox security.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Penton.