Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, Containers Expo Blog

Weblogic: Article

Separation of Duties in Virtualized Environments

Historically, separation of duties has been a key tenant of internal controls

Virtualization has brought us another step closer to the world of Star Trek. Think back to episodes of The Next Generation where Geordi was able to control the functions of the entire ship through a single touch-screen interface. He was able to reconfigure electrical, mechanical and propulsion systems without needing anyone else or additional authorization. The only thing to prevent him from doing something risky or damaging was the computer system itself.

This picture is exciting in its similarities with virtualization. Here, the hypervisor essentially becomes a datacenter in a box where not only servers are virtualized, but also networking and storage. One of the challenges this creates, though, is around separation of duties, since the virtual infrastructure administrator now has the ability to make changes to each of these aspects of virtual infrastructure. This has blurred the lines around traditional separation of duties and is creating some serious organizational challenges.

Historically, separation of duties has been a key tenant of internal controls. As a security principle, it is meant to protect against fraud and unintentional error due to a variety of factors, such as lack of skills or inattention caused by overwork. In addition, from an IT perspective it is meant to reduce the potential damage from the actions of one person. Also, regulatory compliance initiatives like SOX and the Gramm-Leach Bliley Act (GLBA) require separation of duties since internal controls rely on IT to automate and enforce the separation. Auditors check to make sure there are adequate control mechanisms around separation of duties and have listed "material deficiencies" when the risk is high enough, or documented "compensating controls" when IT controls required for compliance cannot be satisfied.

Traditional IT organizations are built with multiple skilled groups; typically these include server, networking, storage and security. These groups are not only experts in their particular domains, but they have limited access to the specific systems they need to manage. With virtualization, however, these functional areas become very difficult to segregate and manage; for example, the server team that adopts virtualization may end up also managing networking and storage within the virtual infrastructure. This creates both organizational and virtualization adoption challenges.

Here are three steps for solving the issue of separation of duties within a virtualized environment:

  1. Architect organizational processes and separation of duties from the ground up
  2. Use granular role-based access control methods to ensure separation of duties - this should be consistent across all access methods
  3. Ensure you have consistent and granular audit-quality logs for all virtual infrastructure operations (log individual user and command activities)

Bottom line, the best way to effectively address the problem of separation of duties is by deploying a solution that automates and delivers consistency around areas like access management, policy enforcement (according to role and object/resource being managed) and audit-quality logging. These capabilities are critical to enforce separation of duties as well as enable new virtualization capabilities such as self-service. With steps like these in place, the unchartered course we're on with virtualization can bring tremendous assurance, control, security, management and compliance.

Now you're ready to take your business where no man has gone before.

More Stories By Eric Chiu

Eric Chiu is CEO and founder of HyTrust, an early stage startup focused on secure virtualization management and compliance. He has in-depth knowledge about what’s needed to achieve the same level of operational readiness in virtual, as in physical I.T. infrastructures. Previously Eric served in executive roles at Cemaphore, MailFrontier, mySimon, and was a venture capitalist at Brentwood/Redpoint, Pinnacle, and M&A at Robertson, Stephens and Company.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...