My Photo
Subscribe in a reader

Recent Comments

Categories


« Network World Focus on Security in 3/17/08 issue | Main | Montego Networks spotted on radar »

March 22, 2008

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Rob Lewis

You may be right with these comments. Time will tell.

Can you speculate about what vitualization will bring to the table as far as information-centric security (granular access and audit control at the data file level) as opposed to bringing network (infrastructure) security down to a more granular level?

John Peterson

Rob,

Great question. Well, I think one of the great things virtualization will bring to the table as it relates to control at the data file level is its ability snapshot information.

For example, if I have a file sitting on a VM and that file becomes compromised, modified or accessed by someone or something that shouldn't have accessed or modified the data file; the Virtual Environment will be able to revert back to its original state.

Take for example the company Tripwire. With Tripwire you can monitor data file access and enable change control monitoring. If the "TripWire" was triggered it could send VMWare into a mode of reverting back to the original image (data files).

This "TripWire" could be envoked if someone modified a file (tried to corrupt it, ie. deface a web site) or if someone accessed the file through some memory location that shouldn't have been a channel to that file. You could revert back.

It kinda creates a scenario of a dog chasing his tail. You would effectively never be able to damage something as long as you have the ability to monitor it and revert back.

The other thing that can be done, that is not necessarily empowered by virtualization but virtualization definitely allows you to scale this better; is to have a "Data Firewall" which Montego Networks has in its product.

Its pretty common to have file restrictions based on user names and user groups on file servers (physical or virtual), but what hasn't been so common is to tie Network attributes (subnets, mac's ports, ip's, etc.) to those files.

What if you could restrict access to a file based on where someone is coming from in the network. For example, maybe someone is trying to access the file from the wireless LAN segment. You may want to set policy to restrict such access. What if you wanted to place all of your contractors in a certain part of the building (subnet) and restrict access from that part of the building regardless of their server level access. Or maybe restrict access to critical files from a users home which has a VPN into corporate.

With a "Data Firewall" you could do things like that and virtualization allows you to scale it a lot better and role out such solutions a lot better.

Lots to explore here.. I think its going to be exciting times for the security industry.

JP

园林

Thanks for your sharing. this is very good data.

The comments to this entry are closed.