Tom Olzak

Archive for May, 2009|Monthly archive page

Server Virtualization and Control Context

In Access Controls, Data Security, HIPAA, Insider risk, Risk Management on May 6, 2009 at 13:50

Traditional database servers are relatively easy to track. You stand up a physical box and place the database on it. The part where a physical system is needed is monitored closely by business and change managers, due to costs and other constraints. However, this constraint is typically missing from virtualized environments.  Because network infrastructure engineers can bring up a virtual server without much effort, they typically respond quickly to business or IS requests for additional server resources. Risk due to virtualization is easily managed with a little planning, a few processes and policies, and a network segmentation plan which enables engineers to ensure data security without introducing another layer of complexity. The result is a set of control contexts into which database servers are placed based on the classification of the data they store or process.

Control Context Defined

The term “security context” is typically used to describe the framework governing user or application authentication and authorization. It is closely related to the framework of controls used to secure data in a datacenter, but not close enough. This is where a control context fills the gap. A control context is a collection of infrastructure controls which both harden and monitor critical resources and the paths leading to and from them. To better understand this concept, let’s look at Figure 1.

Read the rest of this article at CSO online…

Cloud Computing May Solve Patching Problems…?

In Patching on May 1, 2009 at 11:41

Wolgang Kandek of Qualys is quoted in a TechWorld article as follows:

“We believe that cloud security providers can be held to a higher standard in terms of security,” said Kandek. “Cloud vendors can come in and do a much better job.”

Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed, he said.

Source: Cloud security will supplant patching, says report author, John E. Dunn, Techworld, 1 May 2009

I agree with Kandek’s assertion.  However, cloud computing doesn’t relieve managers from ensuring cloud vendors have a good patch process and that they actually follow it.

%d bloggers like this: