Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security Thought for Tuesday: Program Policies, not Infrastructure

by Neil MacDonald  |  September 21, 2010  |  Comments Off

I’m here at the midsized enterprise summit in San Antonio. Earlier today, I presented on the same theme I will be presenting on at Gartner’s US Fall Symposium – the evolution of information security to address the security needs of private and public cloud-based services.

In addition to the virtualization of security controls, one of the other significant transformations taking place in security infrastructure is the move to make the security policy enforcement points “programmable” – able to be configured using standard APIs (in most cases, REST-based). The policy enforcement points are then managed from security policy administration points and consoles where policies are linked to workloads based on logical, not physical, attributes. For example, “PCI-related web applications require web application firewall protection” or “Only a member of the Sales organization can use Skype”. These policies then drive the automated configuration of the security policy enforcement points embedded (likely virtualized) throughout our data center “fabric”.

There are several fundamental changes in information security reflected in these simple examples:

  • Information security professionals focus on setting security policies, not the low-level programming of firewalls and other security infrastructure.
  • As security policies move “up the stack” and context-aware tied to application, identity and content, the policies themselves read more like English statements – understandable to the policy creator and to people verifying the policy (auditors, information owners and so on).
  • Combined, by shifting to policy-driven programmable security infrastructure, we reduce the chance of misadministration, mismanagement and human mistakes – a significant source of unplanned downtime and successful attacks – and improve our overall security profile.

Food for thought.

Comments Off

Category: Cloud Security Next-generation Security Infrastructure Virtualization Virtualization Security     Tags: , , , , ,