Michael F. Angelo, chief security architect, NetIQ
Success in today’s world is often predicated on the ability to improve/expand/grow business with the adoption of potentially disruptive technology, which is any technology that fundamentally changes the way we are currently operating or will operate. Past examples of disruptive technology include the internet, the PC, and mobile computing. Looking on the horizon, disruptive technology includes virtualization and cloud computing. Security has the task of minimizing any negative impact to the existing infrastructure that may be caused by the disruptive technology. While the world would be a better place if all security incidents had mandatory warnings – e.g., “Warning something bad will happen in 10 seconds” – nothing like this exists.
Three things come to play in handling security for disruptive technology:
- Our ability to understand how the new disruptive technology should work.
- Our ability to determine the practicality of its requirements.
- Our ability to detect and react when things go wrong.
Understanding disruptive technology is critical for any security professional. That understanding enables us to analyze the technology and perform an initial risk assessment before implementation. When dealing with disruptive technology, a failure to perform a risk assessment can lead to a serious security event such as loss, failure of the infrastructure, or even failure of the business.
Taking as an example virtualization technology, we see two basic implementations: hosted and non-hosted. A hosted environment has a full O/S on which a virtual machine resides; while a non-hosted environment has a minimal O/S. The hosted environment provides the ability for monitoring via the hosting environment, as well as segregated environments for the virtual machines (VMs) to run in. The non-hosted environment gives up a level of monitoring ability, yet provides cleaner segregation of VMs and arguably better performance. If sandboxing (as a security feature) of an environment is more critical than monitoring, one might choose one virtualization technology over another.
When evaluating technology like virtualization or cloud computing, make sure to look for sanity or practicality. For example, if a virtualized environment requires sandboxing, then it is mandatory that reverse inheritance is prohibited.
Unfortunately, understanding the environment and checking requirements might not be sufficient protection for a disruptive technology. All such technologies should therefore be blueprinted or benchmarked while in a well-behaved state. Blueprinting and benchmarking can then be used to determine if something goes amiss. The results can also be used as part of the mitigation analysis. The bottom line is that an understanding of the technology and potential issues enables us to perform the analysis and react to the threat.
Sanity checks and a basic understanding of various disruptive technologies are not really new concepts in the security arena. They are what security professionals do when any new technology (disruptive or not) is placed in our environment today. The reason I have written about them is because, while they are security fundamentals, we do not always follow them. At the end of the day, disruptive technology may be shiny, new, and cool, although it still requires us to follow the basic security practices we have used for years. Over time, the tools change, but the security fundamentals stay the same.