VMware Cloud Well-Architected Framework: Secure Pillar – Introduction for Oracle Cloud VMware Engine
Information security is, at its core, defined by three main concepts: confidentiality, integrity, and availability. Organizations often think about “security” primarily in terms of confidentiality, but omitting the other concepts leaves out many essential design ideas that help supply resilience to systems, during incidents ranging from a security breach to a natural disaster. The concepts also interrelate. For example, designing for availability often means that resolving vulnerabilities is easier, helping to restore confidentiality and integrity to systems. Thinking about security in the cloud means thinking about, and designing for, all three data security concepts.
Security is a process that belongs to everyone in IT and technology, not just the “security team” or the chief information security officer (CISO). This is especially true in small and medium-sized businesses that may not have a separate security team. Regardless of an organization’s size, cloud and virtual infrastructure administrators are often the primary implementers of security controls in an organization, while the security team sets policy, audits for compliance, and conducts incident response. Everyone within the organization participates in the process in some way. As such, the information presented here is intended to aid everyone in gaining an understanding of security design principles, and how they apply to operations in the VMware Cloud.
Information Security Concepts
An understanding of information security concepts enables efficient communication within organizations, promotes understanding among different groups within an organization, and improves system design by highlighting areas of consideration.
The ability to prove that a person or application is genuine, verifying the identity of that person or application. Authentication uses one or more of three primary methods, or factors: what you know, what you are, and what you have.
“What you know” encompasses passwords, personal identification numbers (PINs), passphrases, and other secrets. This type of authentication is not strong on its own and is typically paired with another authentication factor.
“What you are” involves biometric authentication methods, such as retinal scans, fingerprints, voice or signature recognition, and so on. These factors cannot be easily changed if compromised.
“What you have” entails objects or applications running on objects that you physically possess. Traditionally this involved keys, but modern forms may also involve USB tokens, smart cards, and one-time password applications on devices. This factor requires possession of the object at the time of use and may be hindered by intentional or unintentional loss of, or damage to, the object.
Multi-Factor Authentication is a method that uses authentication techniques from more than one factor. For example, combining a password with a one-time password application, or a facial scan with a PIN. This approach helps mitigate weaknesses in the use of each factor. Use of two techniques from the same factor, such as two passwords or two physical keys, is not considered multi-factor.
The act of determining whether a user or application has the right to conduct particular activities in a system, relying on authentication to prove the identification of the user or application.
Ensuring that data is available to authorized parties when needed.
Security and privacy controls implemented as an alternate solution to a requirement that is not workable for an organization to implement in its original form. The sum of the compensating controls must meet the intent and requirements of the original security control.
Ensuring that data is protected from access by unauthorized parties.
An incident where data is accessed, copied, transmitted, viewed, or stolen by an unauthorized party. This term does not indicate intent; other terms such as “data leak” and “information leakage” help convey whether a data breach was intentional or not.
The ability to uniquely prove who a user of a system or application is, to enforce access control and establish accountability.
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. Note that this is not limited to people, nor does it indicate intent; natural phenomena, disasters, and animals can also cause incidents, for example.
Ensuring that data is protected against unauthorized modification.
A method of describing the techniques used by attackers, after breaching an endpoint or system, to “pivot” and extend access to other systems and applications in their target organization. This moves the attacker closer to their goals, such as accessing, changing, exfiltrating, or destroying sensitive information.
Only assigning the minimum access rights that are necessary for staff or systems to perform their authorized tasks, for the minimum duration necessary.
The ability to associate messages, actions, and/or authentications with an individual in a way that cannot be denied by that individual.
Recovery Point Objective (RPO)
The largest amount of data that is acceptable to lose after recovering from an incident. This is measured in time, e.g. “one hour of customer data.”
Recovery Time Objective (RTO)
The largest amount of time that is acceptable for data to be unavailable due to an incident.
A safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of data.
Separation of Duties
Dividing critical functions among different staff to help ensure that no individual has enough information or access to conduct fraud.
A weakness in an information security system, system security procedures, security controls, or implementations that could be exploited by a threat actor.