My friend and fellow vSpecialist Sharon Isaacson and I were preparing for some technical presentations and sessions that were coming up. The sessions were based on the VCE Trusted Multi-Tenant document and how RSA can secure virtual environments as well as the Vblock. We weren’t big on going in there and throwing products at them. We wanted to talk about security, find out how they defined multi-tenancy, and then work with them to see how the products fit into their need. The goal is to talk about security and as I stated in previous posts, it is about trust. Sharon had this great relational understanding regarding trust. I don’t know where she got it from or when she developed it but I told her I was stealing it, using it, and writing a blog post on it.
I coined it the “Triangle of Trust”. Sure when talking about security we use the terms risk and trust. We want to reduce risk and increase trust. But how do you do this? Through policies / procedures and visibility… that is how you create trust. And of course this trust needs to be established across the entire stack of administrators and tenants. The tenants need to understand that their SLA is being met and the administrators need to easily prove the SLA is being put in place. Service providers need to prove that their policies are complying with the customers needs and wants and that the customers/tenants are getting what they paid for. You don’t want to wait until the last minute, until a disaster has happened to prove that they didn’t do what you asked them to. That is a high risk situation and you might as well not do anything at all. Putting 100% faith into a service provider without any visibility is just crazy. You need the insurance policy.
Policies are what define everything in the infrastructure. Whether it is a policy to define the length and complexity of the password or the fact that the PCI DSS data needs to be encrypted and kept for a specific period of time. Nothing occurs without implementing a policy and proving that it has been done. Once you can prove that, trust is established. Think about this scenario in the real world. You create policies with your children, such as they need to be home at 11:00 pm on a friday night. You need to have visibility that this policy is being met by making sure they stop by your room when they get home. This in turn creates more trust. If you don’t see them at 11:00 pm, how can you be sure they really were there when they said they were.
Trust is essential in every relationship whether business or personal. Trusting in your service provider when they are dealing with your information is even more important. You aren’t leaving your child with a day care provider if you don’t trust them. Why leave your data to a provider if you don’t trust that they are protecting your information. How do they secure the data… with policies… and how are these policies verified… with visibility into their physical and virtual infrastructure. You can’t have trust without the policies and visibility.. you can’t have visibility unless policies are put in place and a trust relationship is established. Last but not least, policies are nothing with the trust in the infrastructure and the ability to see them. You get it… it is a triangle of trust… everything is based on the trust…the trust in the cloud
