Vendors are also rethinking their security postures and welcoming third parties who can provide security fixes. “The problem before was, could I apply fine-grained network security to my virtualized environment, and in the past the network ops people said ‘absolutely not. We can’t support it,’ says Chris King, vice president in the networking and security business unit at VMware.
“Now there are technologies available that will enable them to revisit that request and that can now cut the common thread in [these] breaches, which is once an attacker is inside, they’re stuck in that compartment and have to break through another wall in order to attack.”
3. Encrypt the data
It’s top of mind these days, but many companies are still not encrypting, Chiu says. “There’s this outdated thought process, which is ‘if it’s within my four walls, then I don’t need to worry about it,’ but that’s definitely not the case. You need to at least encrypt all customer data and all intellectual property wherever it is in your environment,” Chiu says. “Of course the cloud makes finding it worse because you don’t know for sure where that data is – but encrypting all that data should be a fundamental principle.”
4. Coordinate security and infrastructure teams early on.
There needs to be alignment and coordination between security and infrastructure teams at the beginning of virtualization projects, Chiu says. “It’s a lot easier to build in security controls and requirements in the beginning than to bolt something on later.”
Security also needs to map the requirements of the organization for the next several years, he adds. “Does the company plan to virtualize PCI data, HC data, move to a shared environment where business units and application tiers are all going to get collapsed together? All those things matter because your requirements are going to be different.”
Sign up for CIO Asia eNewsletters.