Joe Sturonas, a 25-year veteran of the commercial software industry, is responsible for product development at Smart Encryption provider PKWARE, including software engineering, documentation, quality assurance and technical support.
Thanks (or no thanks) to Edward Snowden and Jennifer Lawrence, encryption is cool again. Of course, security architects and CISOs have known encryption was hip since the Clipper chip was dismissed. For years, the challenge was balancing the strength of good encryption with the competing interests of budget and usability.
A Software-Defined Perspective
If you could re-do your entire business stack, the experts wouldn’t suggest going the new security appliance route. At Gartner’s big IT Security and Risk Management event this summer, the preferred, emergent security option landed around a software-defined approach. Software-defined has different connotations to different architects, developers and data center operators, but from a security perspective, it means strong security centered on information (read: people) but flexible across hardware.
Gartner security pro Neil MacDonald and his colleagues framed the “transformational” software-defined security changes in a release tied to the event.
Software-defined “is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on. ... Software-defined security doesn’t mean that some dedicated security hardware isn’t still needed – it is. However, like software-defined networking, the value and intelligence moves into software.”
One Call for a New Security Approach
Over the last year, we’ve worked with a large national telecommunications provider. Like any enterprise, they’ve spent decades acquiring new tools and hardware, slipping each shiny new object into their stack. After a while they look back at all these layers and wonder how it all got so out of hand.
Most glaring was how this vendor protected information coming in and out of their data center. On-premises a few years back, they had shoehorned in a proprietary crypto appliance, which was essentially impenetrable when it came to anything at the data center itself. The problem was today’s business inevitability of IP and customer info creeping out of the data center. The security architects knew it was happening, and at first, felt their crypto appliance could handle whatever they weren’t able to squash in terms of unapproved devices or external storage connections. What they realized, however, was that their “magic box” (the security appliance) forced them to serialize every crypto operation. Employees were getting around this by skipping the security steps. The chief security officer and her team realized that the proprietary nature of the appliance’s security setup would have moved them toward an uncomfortable remedy of opening up a hole in their firewall so other information sources could get secure access. The security architects were faced with the potential of revealing their secrets, the biggest no-no for any magician. Security, they determined, could not be an all or nothing situation.
Questions for Better, Usable Protection
During that talk, and based on what we’ve heard from analysts, we developed five key questions that have helped data center customers get the most from their security plans. By no means comprehensive – security is a process, after all – this handful of questions is meant to give a rounded view for you and your team of architects and developers.
What is realistic to use for data protection given existing systems, platforms and languages? Maybe an obvious first step, but you have to start somewhere. Here’s where that pesky budget discussion comes back up. A word of caution: the compact, ease-of-implementation of that “magic box” cost the security team much more in terms of add-ons and headaches down the road. Security is not Boolean. Prioritize, classify and protect the most sensitive, valuable data first. When you are hacked (because every organization will be hacked), if they take only the public and unclassified data, you protected the most important information.
What happens if “Vendor X” is hacked or goes out of business? There is lock-in risk with any software or hardware. With security solutions in particular, do your homework on a vendor’s history and the benchmarks by which they defend their protection claims. In addition, some wiggle room for growth in external data sharing and internal programming preferences should receive heavy consideration.
Who in the data center chain-of-command should see what? This issue emerged with another customer recently, wherein database administrators watched encrypted data turn into credit and debit card information all day long. Unstructured and structured data protection features – and the administrative approvals – bring a guard against insider threats and common errors.
How will you handle the key management headache? Managing keys is the tough part of encryption. It’s also the part most susceptible to businesses settling on simplistic, one-stop-shop appliances. Get the background on the types of keys that fit your risk appetite and user needs.
Do you have cryptographers on staff? If you do, you’re one of the few. Developers are awesome at learning how to craft features to scroll and correlate sales trends. Without that cryptographic background, they may be setting themselves up for a trial by fire in constructing in-house security solutions. To make sure crypto is actually used for info moving across and out of the organization, developers should come at implementation with a focus on the business drivers, employing security as a business driver and not as a hurdle.data cent
Thinking Security, Freely
It’s not sleight-of-hand that pushes any security leader or team into choices around data use, storage or security. But critical thinking can keep enterprises nimble and ready for whatever change is to come with securing data and data centers. Harry Houdini explained his illusions this way: “My brain is the key that sets me free.” With the right questions, you can set up your team and business free to move along a stronger security and encryption process beyond reliance on any one magic box.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.