Scope: It Is All about Scope

Posted byEdward L. Haletky, aka Texiwill,

When to implement security and data protection practices, or even change existing ones, is all about timing, knowledge, and scope. Deciding what to implement at any particular time requires knowledge of what needs to be fixed, and also of what the future could hold. To do this properly, you need to pay close attention to the threats within your industry, understand their impact, and evaluate them based on risk. Where to obtain such knowledge is always changing, but the scope we apply the knowledge to seems to be static and not changing with the times.

The question of where to get data has been answered many times before, but that of how to define your computing operations is much more interesting. Do we limit our scope to just a small subset of our entire computing environment? Do we base it on the scope we have under regulatory compliance? Or do we broaden our horizons to include all elements of the secure hybrid cloud? I think it is the latter, per Figure 1:

Scope of the Secure Hybrid Cloud
Figure 1: Secure Hybrid Cloud
Our scope can not be limited to just our data center any more, and we cannot rely on the scope formed by trying to pass some form of regulatory compliance, as that is generally a subset of our entire environment. Nor can we impose a scope based on a vendor product, such as a converged infrastructure, as the scope is often broader than we know. One example of the need to broaden our scope is VCE Vblock. The Vblock seems fairly insular—drop it in and go—but in reality, the scope of a Vblock extends outside the components and into the core switching, as the Vblock does not do any layer 3 or higher networking. Which means we not only need to be concerned about how the components within the Vblock talk to each other, but also about how the outside world attempts to reach the Vblock.
In addition, we also know that partner access, data protection, management access, and many other aspects of an environment are also outside the realms of most scopes. They are distinctly outside the scope of many regulatory compliance audits, as the goal of regulatory compliance is not to pass the audit over your entire environment, but over a subset that can be made to meet those requirements. It is a check box, not real security. When we look at security and data protection, our scope and worldview needs to change. It needs to move outside the realm of a single host, a single application, a single Vblock, and expand to cover how the users are actually interacting with the data.
Our scope changes as our users’ appetites for technology change. As users find new ways to do their jobs, they are often moving organizational data into and between clouds, and perhaps not even touching data centers any more. Do current security practices and scopes of control, audit, and data protection even cover the way the users use the data and applications within their reach?
Scope needs to change and grow. Every organization (except perhaps two to three that I know about) uses hybrid clouds. It is not about how we define things, but about how the users and partners interact with the data.
What is your scope of control, audit, and data protection? Is it broad enough to really cover the environment? Or is it limited to pass regulatory compliance?