Tom Olzak

Server Virtualization and Control Context

In Access Controls, Data Security, HIPAA, Insider risk, Risk Management on May 6, 2009 at 13:50

Traditional database servers are relatively easy to track. You stand up a physical box and place the database on it. The part where a physical system is needed is monitored closely by business and change managers, due to costs and other constraints. However, this constraint is typically missing from virtualized environments.  Because network infrastructure engineers can bring up a virtual server without much effort, they typically respond quickly to business or IS requests for additional server resources. Risk due to virtualization is easily managed with a little planning, a few processes and policies, and a network segmentation plan which enables engineers to ensure data security without introducing another layer of complexity. The result is a set of control contexts into which database servers are placed based on the classification of the data they store or process.

Control Context Defined

The term “security context” is typically used to describe the framework governing user or application authentication and authorization. It is closely related to the framework of controls used to secure data in a datacenter, but not close enough. This is where a control context fills the gap. A control context is a collection of infrastructure controls which both harden and monitor critical resources and the paths leading to and from them. To better understand this concept, let’s look at Figure 1.

Read the rest of this article at CSO online…

%d bloggers like this: