Security thoughts on consolidation

Comments

Related

Active Comments

Mark says: How refreshing to read an overview of someone's honest opinion about their lack of understanding of the virtual environment. I...

Read the rest | Reply

Waldo says: New technology should be embraced, from a security perpective embrace virtualisation, gain an understanding of the risks and mitigate them....

Read the rest | Reply

All Comments (3) | Post New

• If I Were in Charge of the World
• Switching Gears, and Looking Back
• Shoveling Sand Against the Tide
• Finding True Diversity
• Seeking Dollars for Scholars

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

March 10, 2008 (Computerworld)

• At issue: Consolidation and virtualization are on the table.
• Action plan: Think of all the security implications ahead of time.

As budgets have tightened and staff sizes have decreased in the state government I work in, the drumbeat for consolidation has gotten louder. Until now, it has sounded to me like two parts politics and one part hype, so I've tried to ignore it. I don't think I'm going to be able to keep doing that, and so I will have to face the security implications head-on.

Politics is always a big factor in government, of course. Some people are quite taken with the magical idea that if you take all the IT and security people in the state and organize them under one umbrella, you will realize efficiencies and cost savings. Magical thinking isn't my thing; I can't help but wonder how this wonderful idea would work in the real world, where every state agency has its own business needs and requires different support skills, where offices are distributed across a rather big chunk of terrain, and where network, server and desktop standards are, to say the least, varied. And everything we do these days is constrained by crippling budget cuts. Yet we would have to spend a lot of money standardizing across the board before we could consolidate support.

However, an agency that is part of the same department as mine has been touting virtualization as the key to cost savings. My boss is being pressured by management to respond. He said he didn't want me to work on this immediately, but to think about it. That was nice of him, since he knows I don't have the time for anything extra.

Thinking about it raised a lot of questions for me. For starters, are we talking about server virtualization, desktop virtualization, storage virtualization, or what? Are we going to identify services that can be shared and serve up those applications from a data center housing virtualized servers and storage? How does that impact bandwidth? Who's going to be responsible for a statewide cost-benefit analysis? And how does all this affect security?

Thinking Security

I am of the school of thought that says that, outside of some specific purposes, virtualization is not ready for prime time. I also think security is not served by putting all your eggs in one basket my view of server virtualization.

But, I remind myself, I'm not in charge. What I need to do is analyze what, if any, components of our environment can be virtualized. Then I need to analyze the effect on security.