Stop and think what it takes at your company for someone to write a $100 check from the company checkbook. It doesn’t seem like a lot but there are controls in place to make sure that it is not easy to write that $100 check, controls meant to protect the company from fraud, theft and maybe even mistakes. People have a very clear mindset of the value of a hundred dollars; one can hold a crisp new Benjamin Franklin or C-Note and feel there is something of value. Stop and think what it takes for an administrator in your company to spin up, spin down, move or change a virtual machine running some application or service your business relies upon for its daily operations (hint: it can be very easy, quicker than making a cup of coffee). But wait, it’s just a virtual system, not real money, right?
Now let’s get back to that $100 check. Businesses tend to have controls in place to reduce risk and loss. Examples of some of those controls include:
- The requirement for two signatures on all checks or at least checks that are over a specified amount
- The requirement to keep blank checks in a lock box or safe where the physical checks cannot be accessed without authorization, good idea to also lock up the stamp with the CFO’s signature
- The requirement that only certain individuals have signature authority on the account (does the bank really check this?)
- The requirement for separation of duties for check writing and account reconciliation functions
Now let’s go back to the virtual machines that run the business. Businesses may have some controls in place depending on the maturity of their IT processes and the level of regulatory compliance under which they operate, but it’s probably easier to access virtual systems, turn them up or down and even change them than it is for any employee to write a $100 check. Just like controls for writing a check, virtual infrastructure needs some of these same controls.
- Two “signatures” or approvals (think two man rule) on changes to virtual machines, particularly when doing things to a large number of systems or if making changes to systems that would have a substantial impact on the business
- Strong authentication of administrators based on 2FA, smart card or other source to make sure they are who they say they are and are in fact authorized to do what they are doing
- Different policies for different levels of change ($100 check versus $100,000 check), some virtual machines hold more critical business resources and data than others, some actions impact more machines than others
- Protecting root passwords such that no one system administrator for virtual machines has the equivalent of the CFO’s signature stamp – protects against well intentioned error as well as theft or vandalism
Now, organizations are starting to put in place controls so they have the same level of protection for their virtual infrastructure as they have for $100 checks. At HyTrust we are helping our customers ensure that they have controls in place to address operational and security risks. With these controls in place, the teams responsible for virtual infrastructure have the ability to do what’s needed but also have a safety net in place. You never know when someone might fat finger a change to their virtual infrastructure or even worse, watch Citizen Four and decide to see what kind of mischief they can pursue. Give us a call (1-650-681-8100) or visit the HyTrust website to see how we might be able to help you protect your virtual infrastructure.