Virtual machines could be the gold standard for network security

From researchers working with protected health information to administrators and executives working with financial numbers to the business offices dealing with credit card transactions, many individuals and groups within an organization need secure servers on which to conduct business using information protected by state and federal laws and regulations. 

Virtualization technologies allow IT to provide computation and storage solutions with much greater economies of scale, natural system lifecycle management, and reduced environmental impact. This is primarily because system information and resources are shared by tenants, which brings a lot of efficiencies, but unfortunately also means that protected information may leak through shared memory and other mechanisms.  However, capabilities now exist—one example being the ability to reserve memory space for the exclusive use of one particular tenant—that allow us to create virtual machines specifically designed to meet the complex requirements of today’s regulatory environment, allowing a more convenient and scalable solution for sensitive and regulated business loads.

Boston University’s Information Services and Technology Department (IS&T) received the 2015 CSO50 Award from IDG’s CSO Magazine (International Data Group’s Chief Security Officer Magazine) for efforts in designing just such a solution.

BU Information Security and IS&T Systems Engineering worked together to create the ‘Premium Secure VM’ service, which leverages VMware, vSphere Enterprise and other tools to provide the security required to handle regulated information in a virtual environment. This solution was designed to meet the requirements of a variety of sensitive information—HIPAA, GLBA, PCI, PII, ePHI, and data protected by Massachusetts Privacy Law—but as most regulations contain many of the same requirements, a VM can be designed to meet the superset of almost any combination of regulations or standards needed. It also includes other security features or tools, such as compliance monitoring, security monitoring, vulnerability management, etc.  BU created and maintains a gold image and clones it when a new server is needed, standing up a new secure computing environment in minutes.

For every system brought into this environment, BU is seeing savings of $1,000 on acquisition costs and another $1,000 per year on maintenance. Clearly, this approach provides cost benefits, but it also allows another extraordinary value add: An organization can conduct a risk assessment, certification review, regulatory review, penetration test, and whatever else may be required on that original image and provide that baseline information and associated documentation to the client along when setting up their clone, significantly reducing the administrative time and effort it might otherwise take.

—————–

Let’s walk through an example to see how this can work to make both service and security more convenient. We will take the case of an organization that does medical research: Using this approach, such an organization can create a gold image and work through the NIH or SSA to have it certified as being compliant with HIPAA and with NIST 800-53 [moderate], generating the documentation required to achieve the certification: Risk Assessment (RA), System Security Plan (SSP), Contingency Plan (CP), Security Assessment and Authorization (SAA), Privacy Impact Assessment (PIA), and Data Management Plan (DMP). 

Later, when a researcher needs a computing environment for human subjects research or some other federal research covered by FISMA, IT has a turnkey solution. Not only can IT spin up the required environment in moments, but infosec can also provide the pre-approved RA/SSP/CP/PIA/CP/SAA/DMP documents. 

Benefits:

• The researcher doesn’t have to buy his own environment, doesn’t have to propose as much money as part of the grant request, and therefore has a competitive advantage.
• The researcher doesn’t have to learn the tortuous details of 800-53, set up an environment that meets those requirements, or get that brand new environment approved. This saves weeks, if not many months of project effort, providing an advantage in speed and agility.
• The researcher does not have to draft 150 to 400 pages of documentation to prove compliance. The templates from IT already have the system and environment-specific details filled out, so the majority of that work is already done. He only has to supply a few pages of project-specific material, saving untold hundreds of hours of frustration. 

If such a solution is available, technology and regulation get out of the way of the researchers, allowing them to focus on their true purpose: Research. Let’s work to innovate, leveraging our various groups for their true areas of expertise: IT for technical engineering, infosec for regulatory guidance and security configuration/tooling/testing, and researchers for exploring their worlds, creating new insights and stretching the boundaries of their fields.

This is one way that IT and information security can work together to design solutions that bring value to the business, providing researchers (and others with sensitive business loads) more convenient security.