Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

The Good and Bad of Unlimited Policies for a Micro-Segmented Data Center

“Think about an M&M. Once you’re in that M&M, you kind of get wherever you want. With the data center it’s similar. Virtual desktop is in, and now you have free run of the place,” said Aaron Dumbrow (@adumbrow), senior systems engineer, VMware in his Austin Powers-infused presentation "Your Laptop Has Been Stolen with 80,000 Patient Records - You're Held to Ransom for… ONE MILLION DOLLARS!" during VMworld 2015 in San Francisco.

A single firewall perimeter-based security solution is no longer sufficient. One step to a more secure solution that isn’t just hard on the outside and gooey in the center is creating a micro-segmented data center where you can have unlimited firewalls at different points. The danger of creating policies for what you can and cannot do, is what you may have missed and rules sprawl. Too many rules becomes unusable or a miserable experience for the end user.

To understand what rules you should create, Dumbrow advises that you first understand the problem you’re trying to solve, then he offers the solution of software defined security. Given that he works in healthcare, he skews the discussion to healthcare related issues, but you can extrapolate to almost any other industry.

What is the problem we're trying to solve?

  • Lost/stolen laptops: First step is to be able to secure it. Next step is to know what’s actually on that machine. Certain industry regulations levy heavy fines if you don’t know what’s on a computer that’s been lost/stolen.
  • BYOD: Managing devices owned by a person and the company.
  • Remote/temporary workers: Support this audience, and applications being built by contractors.
  • Patients demand a consumer experience: If it doesn't just ‘work’ they're not going to use it. Why can't it work like this consumer product we love so much?
  • Affordable Care Act requirements: There are so many in there that the healthcare industry is still struggling to understand what they all mean. They have to comply with the law and protect patients. How do you provide care while maintaining compliance?

Software defined security solution

  • Data center micro-segmentation: You have to have data center security before you can have end user computer security.
  • Isolate: Don’t allow a communication path between unrelated networks.
  • Segment: Control the communication path within a single network. This is where you can create fine-grained enforcement of security. Security policies can be based on logical groupings of VMs.
  • Advanced services: Depending on policies, include third party security programs.

Putting a firewall on the desktop can be as granular as you'd like it to be, said Dumbrow. This is all done by a policy. But as we discussed in our conversation, this is an ongoing battle to manage all the issues of security, usability, and industry compliance. While they’re not ready to let policies be automatically changed through credential authorization (“We don’t want doctors spinning up servers,” said Dumbrow), they can make the process as simple as possible. When a request comes in for access, policy changes can be managed by a low-level employee, thus minimizing the workflow disruption for the end user.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.