Incidence response
Your incidence response policy covers what to do when your SIEM tool says, “Hey! We’ve got suspicious activity going on here. Do something.” Exactly what to do is outlined in detail in the incidence response policy. As a general rule of thumb, the more lax a company is on security, the better and faster their incident response needs to be because they are not going to see an attack coming as early as they would if they had a better security controls around their systems.
High-level security policies
The following is a high-level list of the policies Logicalis has in place at its public enterprise cloud facilties. Each high-level policy has branches of sub-policies within it:
- Acceptable Use Policy
- Information Security Policy
- Exception Policy
- Policy Terminology Definition Policy
- Change Control Policy
- Data Classification Policy
- Information Security Risk Management Policy
- Access Control Policy
- Data Retention, Archiving and Disposal Policy
- Media Handling Policy
- Firewall and Router Security Administration Policy
- System Configuration Policy
- Anti-Virus and Malicious Code Policy
- Data Backup Policy
- Cryptography and Encryption Policy
- Software Development Policy
- Mobile Computing Policy
- Security Logging and Monitoring Policy
- Security Incident Management Policy
- Business Continuity and Disaster Recovery Policy
Now you see ‘em…
Although the policies and rules that make up an appropriate security program for your organization in a conventional infrastructure can be extended to a private cloud environment, applying security policies in a virtualized environment does add another dimension to everything. As a function of abstracting software and data from the underlying hardware, data moves around in a virtualized environment. VMware, for example, makes it possible to move workloads dynamically within pools of resources.
Strict security policies can be applied to data in virtualized pools of resources, but applying them consistently requires close coordination between the virtualization administrators intent on moving workloads around to optimize performance and the security team determined to lock things up in safe places. The two groups apply different logic in their respective roles and, if they are not talking to each other, it’s entirely possible that the best intentions of one can pre-empt the best intentions of the other.
Technology is emerging that will make it possible to embed security requirements in meta data that would travel with corporate data in a virtualized environment and ensure it stays within the appropriate security zones. In the meantime, the only way to ensure that no HIPAA data, for example, ends up on a non-encrypted storage device is for virtualization administrators to manually check data classifications before they allow data to move to a new location.
Injecting security
Fortunately, the hypervisor, the same technology that turns security into a fast-paced game of hide-and-seek, also provides an ideal place to apply security to specific environments. By introducing anti-virus software at the hypervisor level, for example, all the servers running within it are protected. Security zones can also be stipulated at the hypervisor level.
The bottom line is it is possible to apply as tight of a security policy to a private cloud as you can to a conventional infrastructure. And, once you have identified what it takes to keep your data secure in your private cloud, you will also have identified the security requirements that need to be met by a public cloud provider should you decide to extend your infrastructure outside your data center.
The next article in this series, “Under My Thumb: Managing Your Private Cloud,” looks at management considerations including the orchestration, automation and governance that you will need to keep your cloud from blowing you away.
Previous Articles in this series include:
Mixed Emotions: A Cloud of Your Own
How to Sculpt a Private Cloud
Von Williams is director of Information Security and Governance for Logicalis, an international provider of integrated information and communications technology solutions and services, where he is responsible for providing security advice and delivering solutions to meet customer’s security needs. Mr. Williams holds multiple certifications — CISSP, CISM, CISA, CRISC.Before joining Logicalis in 2010, he worked as a security expert for FirstGroup, Convergys, and Sallie Mae.