• United States



CISO, Boston University

Virtual machines could be the gold standard for network security

Dec 16, 20144 mins
ComplianceData and Information SecurityNetwork Security

Pre-configured secure VMs: Turnkey solutions for sensitive business and research loads

From researchers working with protected health information to administrators and executives working with financial numbers to the business offices dealing with credit card transactions, many individuals and groups within an organization need secure servers on which to conduct business using information protected by state and federal laws and regulations. 

Virtualization technologies allow IT to provide computation and storage solutions with much greater economies of scale, natural system lifecycle management, and reduced environmental impact. This is primarily because system information and resources are shared by tenants, which brings a lot of efficiencies, but unfortunately also means that protected information may leak through shared memory and other mechanisms.  However, capabilities now exist—one example being the ability to reserve memory space for the exclusive use of one particular tenant—that allow us to create virtual machines specifically designed to meet the complex requirements of today’s regulatory environment, allowing a more convenient and scalable solution for sensitive and regulated business loads.

Boston University’s Information Services and Technology Department (IS&T) received the 2015 CSO50 Award from IDG’s CSO Magazine (International Data Group’s Chief Security Officer Magazine) for efforts in designing just such a solution.

BU Information Security and IS&T Systems Engineering worked together to create the ‘Premium Secure VM’ service, which leverages VMware, vSphere Enterprise and other tools to provide the security required to handle regulated information in a virtual environment. This solution was designed to meet the requirements of a variety of sensitive information—HIPAA, GLBA, PCI, PII, ePHI, and data protected by Massachusetts Privacy Law—but as most regulations contain many of the same requirements, a VM can be designed to meet the superset of almost any combination of regulations or standards needed. It also includes other security features or tools, such as compliance monitoring, security monitoring, vulnerability management, etc.  BU created and maintains a gold image and clones it when a new server is needed, standing up a new secure computing environment in minutes.

For every system brought into this environment, BU is seeing savings of $1,000 on acquisition costs and another $1,000 per year on maintenance. Clearly, this approach provides cost benefits, but it also allows another extraordinary value add: An organization can conduct a risk assessment, certification review, regulatory review, penetration test, and whatever else may be required on that original image and provide that baseline information and associated documentation to the client along when setting up their clone, significantly reducing the administrative time and effort it might otherwise take.


Let’s walk through an example to see how this can work to make both service and security more convenient. We will take the case of an organization that does medical research: Using this approach, such an organization can create a gold image and work through the NIH or SSA to have it certified as being compliant with HIPAA and with NIST 800-53 [moderate], generating the documentation required to achieve the certification: Risk Assessment (RA), System Security Plan (SSP), Contingency Plan (CP), Security Assessment and Authorization (SAA), Privacy Impact Assessment (PIA), and Data Management Plan (DMP). 

Later, when a researcher needs a computing environment for human subjects research or some other federal research covered by FISMA, IT has a turnkey solution. Not only can IT spin up the required environment in moments, but infosec can also provide the pre-approved RA/SSP/CP/PIA/CP/SAA/DMP documents. 


  • The researcher doesn’t have to buy his own environment, doesn’t have to propose as much money as part of the grant request, and therefore has a competitive advantage.
  • The researcher doesn’t have to learn the tortuous details of 800-53, set up an environment that meets those requirements, or get that brand new environment approved. This saves weeks, if not many months of project effort, providing an advantage in speed and agility.
  • The researcher does not have to draft 150 to 400 pages of documentation to prove compliance. The templates from IT already have the system and environment-specific details filled out, so the majority of that work is already done. He only has to supply a few pages of project-specific material, saving untold hundreds of hours of frustration. 

If such a solution is available, technology and regulation get out of the way of the researchers, allowing them to focus on their true purpose: Research. Let’s work to innovate, leveraging our various groups for their true areas of expertise: IT for technical engineering, infosec for regulatory guidance and security configuration/tooling/testing, and researchers for exploring their worlds, creating new insights and stretching the boundaries of their fields.

This is one way that IT and information security can work together to design solutions that bring value to the business, providing researchers (and others with sensitive business loads) more convenient security.

Quinn R. Shamblin's philosophy is that the convenience and security are not mutually exclusive - good security can be achieved simultaneously with user convenience. Contrary to what people believe, the work of a good information security professional is not to say "no" to a business goal or request, but to find a safe way to say "yes". This philosophy comes from experience gathered throughout a very diverse career.

Quinn started his career as an officer in the U.S. Navy, teaching sailors how to operate the nuclear reactors found on U.S. submarines and aircraft carriers. He then moved into staff and project management in the IT field, spending several years leading the technical development and support of TIBCO technologies for Procter & Gamble, HP, and Hydus, Inc. Quinn then joined the University of Cincinnati as a Cybercrime Investigator, then Manager of Information Security and finally, Director of Information Security. Quinn is now the Information Security Officer at Boston University, one of the leading urban research universities in the world, ranked 41st in the U.S. (U.S. News & World Report) and 50th in the world (Times of London) in 2013. BU is the fourth largest private university in the U.S. with 33,500 students and 9,000 faculty and staff in 16 Schools and Colleges and association with Boston Medical Center.

Quinn is a sought-after presenter in the Information Security field. He has given talks for CSO magazine, the Brazilian government, the FBI, Evanta, EDUCAUSE and many other national, regional and local organizations. He and the team that created Boston University's Premium Secure VM Service won the CSO50 Security Innovation Award in 2014.

Quinn holds an MBA from the University of Cincinnati, a B.S. in Physics from Andrews University and numerous professional certifications, including: CISM, CISSP, ITIL and previously, PMP, GIAC Certified Forensics Analyst (GCFA).

The opinions expressed in this blog are those of Quinn R. Shamblin and do not necessarily represent those of Boston University or IDG Communications, Inc., its parent, subsidiary or affiliated companies.