written by
Sudesh Girdhari

Modern Infrastructure refresh: How to determine security goals (Part 4)

Technology Leadership 10 min read

Considering an infrastructure refresh in data center consolidation, edge deployment, or compute refresh and consolidation? Today’s decision-making requires analysis, vision, calibration, and foresight for the next request from the business. For successful organizations and leaders, this requires a review of success factors for Business, Technical and Compliance / Risk goals.

This is part four in a five-part series for organizations considering a refresh of computing infrastructure, moving, or migrating to the cloud or application consolidation. VMware takes these inputs into consideration with our operating model for premise and cloud. See the considerations below.

In part one of this modernization series, we provided an overview for organizations looking to prioritize decisions in their data center modernization.

  • During part two of the series, we reviewed how to identify and execute on business goals related to infrastructure refresh. It's important that you have clearly defined business goals to build your technical use case and objectives.
  • In part three of the series, we dug into technical goals that define how they support consistent operations, common management, reduce repetitive tasks, and create a flexible model for operating your technology assets.

Review these videos on Security to help understand the different approaches.

Cross-Cloud Solution Video Playlist

In this post, risk, compliance, and security goals the focus is on which risks should be evaluated for setting security goals. We’ll review the inputs into risk, compliance, and security when making decisions around infrastructure modernization, data center refresh, and server replacement. We will review risk how to evaluate the frequency of security events, impact, and magnitude, and layout a method for documenting understanding risk security and compliance goals. The following progressive sections lay out the path.

Establish your compliance risk and security objectives for customers and users.

  • Protect business operations from threats and the impact of breaches.
  • The more visibility you have into your network across your business ecosystem, the better chance you can quickly detect the signals of a breach in progress and stop it. Often this requires significant investment in visibility and analytics across the business regardless of location or hosting model.
  • Supports new business and operational models.
  • Many businesses adopt new cloud services, create new customer engagement models, and continue to expand employee bring-your-own-device programs. Observability, Virtualization, micro-segmentation, and granular data control strategies are key elements of a security strategy.
  • Enable compliance requirements.
  • For many compliance requirements and audits, having a secure, segmented network is a basic tenet. Moving forward, adding micro-segmentation and identity-based access offers more ability to deliver compliant-ready operations that eliminate tedious work for FISMA, HIPAA, and PCI compliance.

Define your risk based on impact to business and ensure operational capabilities map to security needs.

  • Low risks. These are risks with a low impact on finance, operations, regulatory compliance, legal, and strategy.  You have accepted the risk. These are risks you should reassess once every three to five years.
  • Medium risks. This is a risk you recognize is a problem and will need to keep an eye on. Often these risks are partially mitigated and should be reviewed every two to four years.
  • High risks. Risks with high categorization require continual monitoring and risk reporting to correctly manage them. Often the risks impact finance, operations, regulatory compliance, and customer or employee experience. Require constant action for mitigation, as the potential impact of these risks can be devastating.

Define the context and requirements for organizational risk by creating an estimated cost for a security event:

  1. Impact on annual revenue generated by the business.
  2. How many hours do you estimate you lose per year to outages?
  3. Users impacted during an application outage. (For each of the following customers and employees) a. Mission-critical applications b. Business-critical applications
  4. Have senior executives ever gotten involved in situations when applications faced downtime?
  5. Will senior executives get involved in situations when applications face downtime?
  6. Contractual service-level agreements for application availability to your end-users or customer If yes, what was or will be the cost of financial claims resulting from an outage?
  7. A contractual obligation to deliver applications to your business partners? the cost of partners raising financial claims and estimated legal costs resulting from an outage?
  8. In the past six years, have regulators imposed a penalty on your company due to the lack of service availability? (Define financial penalty)
  9. In the past five years, has your company incurred any marketing expenditures to engender customer trust about service availability? (Define the marketing expense)
  10. What intangible losses would your company suffer during an outage? Customer, Employee, Average employee cost per hour, Average executive cost per hour
  11. Ransomware attacks: Estimated ransom payment to attackers. Third-party digital security forensics
  12. Lost goodwill (impact on trust)

Measure and communicate your security framework

Many teams use a framework that describes the required functions and components of a comprehensive security plan. It also offers a method for evaluating the maturity of each element of the framework.   Using this, you can identify areas of weakness, design plans to bolster them, and then measure your results. Iterate this cycle continuously to fortify your technology services. Elements of this plan include:

  • Management and Governance - The security organization sets objectives based on current conditions, available resources (staff, budget, technologies, etc.), and the needs of the business and to provide strategic direction, track performance, allocate resources, and adjust to ensure that organizational objectives are met.
  • Technology Security - Functions to maintain the confidentiality of communications, data, infrastructure, endpoints, applications, cloud and virtual infrastructure and the availability of the connectivity network (wired, wireless, and software-defined), as well as the capability to protect devices attached to the network.
  • Security Processes - Facility for defining, administering, and tracking privileges across corporate systems. Historical data for logging, identifying potentially threatening security issues, assess vendors, suppliers, outsources, service partners, cloud providers, and other partners applying security standards, identifying, classifying, and handling information assets to platform, and operations will be maintained and that the business will survive in the event of unexpected incidents and outages.
  • People and Organizational Security - Define roles and responsibilities for information security within the immediate team as well as across relevant business and organizational functions and to coordinate and collaborate with other functions across the organization. Effectively communicate its role in supporting organizational objectives and business changes.

Infrastructure design and automation require the discovery of your technical goals

A key goal for security teams should be moving away from a perimeter-centric approach to security to a model that is data-driven, identity-centric and adapted for digital business, where even basic business processes are rarely self-contained within the four walls of the corporation.

Zero trust extends to infrastructure modernization and security within SDDC. In a software-defined world, everything has APIs including your servers and hardware at the edge. Within this model, there is more control lent to application developers to configure bare metal infrastructure. however, this requires guidance, training, and consulting to provide the development team with the right platform. Instead of giving them access directly to hardware APIs, rely on automation to carry out a policy as code. Average infrastructure automation tools that can configure systems at scale and keep it aligned to consistent configuration states.

In recent years encryption has ensured platform integrity, from the firmware to the BIOS to the operating system. It has played a critical role in pervasively encrypting application and system data in hardware. Trusted platform modules provide a secure cryptoprocessor that locks up disk encryption and password protection keys. More recently, vendors have built a "silicon root of trust" directly into the hardware.

  • Data security and securing and managing the data, categorizing and developing data classification schemas, and encrypting data both at rest and in transit are key pieces of any zero-trust approach.
  • Networks. The ability to segment, isolate and control the network continues to be a pivotal point of control for zero trust. The specific ability segmentation and isolation can better secure networks, and they have invested heavily in making their solutions in this space easy to use and powerful when leveraged by seasoned security pros.
  • Workloads are a standard for counterparts in infrastructure and operations. Describing the entire application stack from the app layer through the hypervisor or self-contained components of processing such as containers and virtual machines within the stack. The workloads are the front-end and back-end systems that run the business and help it win, serve, and retain customers. These connections, apps, and components must be treated as a threat vector and must have controls and technologies applied to them. Of particular concern are workloads running in public clouds.
  • IOT devices and network-enabled device technologies have introduced a massive area of potential compromise for networks and enterprises.  Each of those items introduces new avenues of code and assets that security teams must track and treat as untrusted in any infrastructure.  security teams must be able to isolate, secure, and control every device on the network at all times.
  • Visibility and analytics. Tools such as traditional security information management (SIM); more-advanced security analytics platforms focus on security user behavior analytics (SUBA); and network analysis and visibility (NAV) enable security teams to know and comprehend what's taking place in the network. This helps with the ability of a tool, platform, or system to empower the security analyst to accurately observe threats that are present and orient defenses more intelligently.
  • Automation and orchestration. leverage and use tools and technologies that enable security automation and orchestration (SAO) across the enterprise. Help to increase analyst capacity, shorten incident response times, and integrate disparate security, orchestrate firewall rules and security policies to decrease security toil while helping to stop attacks. Orchestration also extends security policies to cloud environments just as you orchestrate cloud applications. Having a command and control of the many components that are used as part of the multi-cloud strategy is a vital piece of the extended ecosystem.

Refine your technical security goals to be feature and future capable

Design adequate data protection policies, you must know what data you have, where it resides, and who needs access to it. There are four areas for data protection: 1) access control; 2) abuse detection; 3) data disposal, and 4) data obfuscation. Security policies dictate which of these areas apply.

Example: Start with an internal focus and move outward once you have had a comfortable approach. This can be used to isolate systems containing payment card information (PCI) from other regions of the network so you can more carefully control access and monitoring. Focus on gaining ground and achieving small, measurable achievements as you work to improve on your zero trust journey.

Security automation is a needed capability for organizations to deal with the volume and velocity of events. Establish rules of engagement for automatic breach response with technology improvements like security analytics tools, work with operations teams to define rules of engagement to determine when automatic action or have a security analysis launched.

Work to have security integrated with the operations team with a goal to automate or design more-dependable systems and patterns. Develop a reward system focused on improving business metrics. Inspire people to build your future automation and bulletproof designs and become leaders in their domains.

Simulate and perform real-world team testing using applications, operations, and security via a red team simulation. Avoid tests in which the vendor simply runs some scans and tries to find the obvious security gaps. The only way to truly get better and be more prepared for a possible (and probable) attack is to train the way you fight. You need simulated -team engagements to truly make your team better and prepare your folks to react with focus and intelligence to real threat actions.

Take Action: Work with VMware to launch your modernization efforts and make an impact with the next generation of modern infrastructure, hybrid, and multi-cloud

Next: Review your goals for compliance and security modernization with this series. Consider the inputs for your future-ready cloud and premise operating model.

Engage with us for a discussion about how to enable a modernization effort:

  • Checkout out: Map Your Technical Future with the Operating Model for Multi-Cloud & Data Center Modernization
  • This eBook focuses on the importance of Cloud Strategy using a point of view for Cloud Architects, being a must-have list for developing an effective cloud strategy. We review the popular “cloud operating model” which provides a holistic but tactical plan for the "Who", "When," and "How" of ongoing management and governance of cloud service delivery. Readers will discover how the cloud operating model is your blueprint for delivering cloud services, and which key elements to include.
  • Want to find your cloud maturity: Review the Cloud Maturity Assessment
  • Also accompanied by the ebook
  • Start with the VMware Cloud Blog
  • Look for content that matches your goals:  Example “Security”
  • Engage with the Author to identify patterns in your business case.
  • Join us chat on Slack