Tips for Governance and Assurance in the Brave New Virtual World
By Lisa R. Young, CISA, CISM
Today’s computing environment is dynamic and users are demanding flexibility in the types of devices and applications they use to remain productive. Sometimes the line between work and personal time is blurred, which has challenged enterprises to manage the bring your own device (BYOD) phenomenon.
One way enterprises are allowing staff access to vital information while still maintaining the appropriate controls is through the implementation of a virtualized desktop infrastructure (VDI). VDI allows operating systems and applications to run on virtual machines in a data center and provides users access via remote-display software or web browser. Users can be productive by accessing information and applications on any device while the enterprise minimizes the risk of data loss.
There are many business benefits to virtualization beyond the flexibility of accommodating the BYOD trend, such as increased security via centralized IT control, enhanced compliance capabilities using standard policies for configuration control, and better utilization of resources through the flexibility to allocate hard disk space or memory on demand. However, to maintain adequate governance and assurance, the enterprise needs to understand the risk associated with virtualization and craft a strategy that aligns with organizational objectives.
Governance concerns for a virtualization strategy are not significantly different from those pertaining to any other major technology rollout. The COBIT 5 business framework supplies principles and enablers that contribute to alignment between IT-related goals of virtualization and enterprise goals. These enablers include:
- Policies—Have they been reviewed and updated as needed, especially with regard to BYOD? Have objectives and associated metrics been identified and aligned with business goals?
- Processes—Where does responsibility for virtualization architecture and management reside?
- Administration and management—Have change control procedures been reexamined for the new environment? Are new tools needed to enhance security monitoring of the virtual infrastructure?
Assurance concerns in a virtual world are slightly more complicated than governance concerns because the technological and physical boundaries are not as clear when using virtualized mechanisms. These assurance concerns are compounded when virtualization is provided by a third party, such as a cloud service provider.
Major assurance concerns include:
- Network security controls—Because information is hosted centrally, when using virtualization the assurance professional should look for robust network security including encryption of the communications channel.
- Segregation of duties—A thorough review needs to be conducted of which roles have access to which virtual machines and whether or not the VLAN assignment, routing protocols and other networking information align with the current enterprise standards. The security of the entire virtual infrastructure relies on the virtualization management system, which may be controlled by one administrator.
- Identity management—While the ability to provision the virtual work environment among users, roles and end devices provides great flexibility, a failure in the identity management system means that no one would be able to log in to work. This is different from a traditional environment in which a user can log in locally to a machine and work even if the LAN or WAN network is not available.
- Compliance—Virtualization can easily be combined with cloud services as long as network connectivity is provided. This may present assurance concerns if the physical location of the data center or the data provider is unknown. If outsourcing is used, the assurance professional must understand that legal control over the data is determined by the physical location and jurisdiction of the data center.
These considerations are examples of the risk to consider when implementing VDI. Ensuring that the risk is addressed by utilizing a governance and assurance framework will provide a foundation for aligning the enterprise’s goals and objectives to its IT initiatives.
More information on this topic can be found on the Virtualization Desktop Infrastructure (VDI) page of the ISACA web site.
Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that helped to develop the Risk IT publications.
New Volunteer Opportunity: ISO Guidance Drafts
ISACA invites you to volunteer as an SME to review the International Organization for Standardization (ISO) guidance drafts.
Due to ISACA’s ISO liaison category C status with three subcommittees within ISO’s Joint Technical Committee 1 (JTC1): Information Technology, the association and its members have the opportunity to comment on and suggest modifications to the ISO working drafts, which are sent directly to the committees for approval. Members of ISACA’s ISO Liaison Subcommittee attend the ISO face-to-face meetings to present, discuss and advocate for such comments.
Volunteers are a key contributing factor to the success of this task. If you have expertise in the subject matter and are enthusiastic about participating and sharing some of your time, please consider reviewing the drafts and providing your comments to the ISO Liaison Subcommittee.
Volunteers will be given confidential materials and will be asked to submit their comments at the appropriate time and within the terms designated for this review process. The requirements for SME volunteers for the ISO guidance drafts are that you are an ISACA member and have knowledge of and interest in ISO standards.
Please volunteer now. For more information on how to participate, please contact [email protected].
Book Review: Guide to Firewalls and VPNs
Reviewed by Andrew Richardson, CISA, CISM, CRISC
Guide to Firewalls and VPNs is aimed at students, but it is a valuable reference work for security professionals and senior management as well. Individuals pursuing or possessing a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC) credential should also find much of interest.
This guidebook is equally split in its main focus between the managerial problems of network security and the underlying technology that needs to be understood to provide the appropriate controls and implement secure defences.
The book is divided into three sections with the initial chapters covering an introduction to information security and security policies, both important subjects that lay the foundations for the subsequent sections.
Part two covers firewall introduction, packet filtering, field configuration and administration, proxy servers and application-level firewalls, and implementing a bastion host. The third and final part covers encryption and setting up a VPN.
Guide to Firewalls and VPNs is an excellent study guide and reference work. It provides enough depth in all its subject areas to be useful, without being overwhelming. Each chapter has a real-life scenario that helps the reader place the information in context, making it a relevant aid to understanding concepts.
Learning objectives indicate what material will be covered, while chapter summaries and review questions allow the readers to evaluate their own learning and understanding as they go along. Exercises and case studies (based on the real-life examples) further help the readers. There is a list of selected reading and an extremely comprehensive list of endnotes that can be used for further research.
The information in the book is presented cogently and clearly. Tables and illustrations are used to facilitate reading. Digressions within the book look at examples that have entered the public arena and give valuable insight that helps bring the topic to life.
The book provides a comprehensive amount of documentation and, while readers will not become expert in all aspects of network security simply by reading this book, they will be aware of the broad subject range. Sufficient depth is covered for the majority of situations and, as with any subject, further reading is always useful.
The book was written by Michael E. Whitman, Herbert J Mattord and Andrew Green, who are well recognised in the field of information security. Whitman and Mattord both have CISM and CISSP designations.
Guide to Firewalls and VPNs is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email [email protected].
Andrew Richardson, CISA, CISM, CRISC, MBCS, MCMI, is the group information security officer (ISO) at AEGON UK. Richardson has more than 25 years of experience in IT, information security, audit and risk. He has written a number of articles for the ISACA Scotland Chapter and is a member of the ISACA Publications Subcommittee. He can be reached at [email protected].