Securing endpoints has always required balancing context and isolation. Context is about knowing what is happening within an endpoint, while isolation is about the security mechanism being separated from the endpoint that it is protection.
While rare, every now and then, major cloud providers such as Amazon must ponder interrupting service to reboot parts of their environments. It is a curious thing, and leads to asking, “Why?”
Virtual desktop infrastructure (VDI) and the concept of desktop virtualization have become a key part of the IT strategy at a growing number of organizations, as they come to realize the many potential benefits of the technology.
As we head into RSA next month, chances are high that software defined perimeter (SDP) will jockey for position there in the infosec alphabet-soup lexicon. A new piece out this week in the Wall Street Journal shows that a lot of very large enterprises have high hopes for this NIST-backed protocol as security teams struggle in the cloud era to balance management of risk with maintenance of their relevance to the business.
Much has been said in the last five years about how security “needs a seat at the business table”. When this is uttered by a security professional, usually among other security professionals, everyone typically nods and looks at one another knowingly, as if this is a foregone conclusion. Well, it’s not.
Most security teams are still those thankless security nerds that focus on the compliance checkbox. Why? We provide real value…right? We’re defenders of the univer….errr, enterprise!
In the first post of this two-part series, I described security guidance regimes and tools while focusing on VMware. In this part, I extend the conversation to include Citrix and Microsoft, and provide some advice that is applicable across platforms.
Citrix distributes a “User Security Guide” that has valuable security information for configuring the platform, but is not a benchmark suitable for audit purposes.
Not long ago, I presented a webinar on BrightTalk about cloud and BYOD (Bring Your Own Device). In it I discuss how users have myriad options that are outside the control of IT groups – shadow IT. That end-users are using applications powered by public cloud computing isn’t surprising. Most of us, at one point or another, have used web mail to move a file, Evernote to jot-down thoughts, or DropBox to share files.
As virtualization adoption grows, organizations are becoming more attuned to the need to properly configure and lock down virtualization. Virtualization is a complex technology with many facets, and there are numerous types of controls that can be implemented to secure these assets. Most security teams are still developing internal policies and processes to define how virtual infrastructure should be enabled and maintained.
Back to work, people! It's time for CISOs to dust the holiday cookie crumbs from their lips and stop rubbernecking the proverbial car crash that was the Sony incident. As 2015 kicks off, it’s the perfect time to reevaluate plans and priorities, and maybe even engage in a bit of wishful thinking. As security and risk management professionals start the year, the following items are most likely to hit their wish list for the coming 12 months.
In my last post, I explored the idea of improving information security with virtualization technology, namely in the areas of inventory and configuration management. These are likely the most visible and applicable places for “crossover” improvement, affecting both security and IT operations.
It is no secret virtualization technology is changing the datacenter landscape. The agility, flexibility, and overall operational benefits are myriad, and conversations about the return on investment in virtualization have, for the most part, long-since been concluded. However, as with many wide changes in computing, conversations about security implications tend to lag behind. For security professionals, increasing agility can also mean introducing new areas of concern; agility can create fragility.
The news these days in security is mostly “doom and gloom”. Just consulting a site like DatalossDB.org is enough to depress even the most hardened security professional. However, there are technology advances happening all around us - some which may lead to new security issues, and others that may help security teams out enormously.
I’m willing to argue that virtualization technology falls into the latter category on most counts. Sure, there are flaws in virtualization software, and new attack vectors (the hypervisor, management tools, etc.).
