Category: IT Security

Going Rogue- How did that data get in the cloud?

How much of your corporate data is sitting on an unused virtual machine running on the infrastructure of a cloud service provider? “Ah, but Mike, I don’t have any VM’s running “in the cloud!” Oh really? Want an easy way to check? Go to your Finance organization and ask for a report of corporate credit card use at Amazon. You may be surprised.

Now, I’m not knocking Amazon at all. A great company doing some really innovative stuff. They’ve made it so easy to start up a virtual machine that I worry when my kids are going to start using it!

But for that very reason of ease of use, you need to know if someone in your organization, frustrated with the response of “It’ll take IT a month to provision you that” just went “rogue”. He just couldn’t wait a month for a web server to be provisioned. So he went over to EC2 and start spinning up things and copying data and taking credit cards because IT couldn’t do it fast enough.

It’s this type of scenario that’s contributing to why many organizations are looking at how they can provide, to the business, the same type of flexibility and speed of an EC2-style environment but from within their own datacenter. This is the essence of “Private Cloud”. And when combined with the ability to link a Private Cloud to a Public Cloud, a Hybrid Cloud. The nirvana of being able to “burst” virtual machines off of my infrastructure and on to service providers infrastructure, all the while maintaining security.

Yea… I’m going to put a  sensitive virtual machine or data out into “the cloud” that I have less visibility and control of than my own datacenter? Really?

Well, maybe. But only after you do the next step.

Assess and Measure Risk

imageHow can we, from a security standpoint, really make this work? Like any good security person will tell you, it’s about assessment and measurement of risk. Just because you can, doesn’t mean you should. In the case of virtual machines and data, the VM’s and the data that reside on them need to be assessed, measured for risk, classified and tagged. As I point out in the slide on the left, we need to start calculating a risk score on a VM or the data and based on that risk score, we keep the VM or data in-house or allow it to move to a datacenter out of our control.

Note that I have only 4 variables on the slide

  1. Data Sensitivity
  2. Workload IP (intellectual property)
  3. Business Requirements
  4. Job Security

Obviously, there can be many more variables that can and should be considered.

  • What about the current threat levels that I get from tools like RSA Netwitness?
  • Is there a new piece of malware out there that attacks the technology I used to develop the application?
  • Is it near the end of the quarter and someone is a little antsy and wants things in-house until after the quarter?

All these things and more should be considered when deciding whether stuff should run in your datacenter or a datacenter out of your control.

For example, say I have two servers. One is a web server with a bunch of static images that’s just there to serve up the images in a catalog and the other is it the application server that falls under PCI because it’s dealing with credit cards. As a simple exercise, we could tag the first as “Non-PCI” and the second as “PCI”.

Today, if you are doing this calculation exercise, it’s probably a manual process. But if you’re talking about cloud-scale, this will have to be an automated process.

A look to the future of automated security

Think about this for a second. All sorts of threat info is coming into your Security Operations Center. Based on that information, the security tools kick off changes to the virtualization and cloud infrastructure (that is SO easy to automate) and VM’s either move in or out of different locations or states based on the real-time data.The assessment and risk measurement isn’t a one time thing. It needs to be a continuous process.

In our server example above, if you want to step the classification process up, your DLP solution scans the servers and if PCI data is found, the classification or tag would change, resulting in the VM being pulled out of the public datacenter and back into the private datacenter.

Obligatory Star Trek Reference

How cool would that be? Just like Star Trek, sensors detected a threat, shields come up automatically (I never could understand why someone had to give an order for that to happen!), phasers start charging and the klaxon goes off. You adjust your tunic with The Picard Maneuver and take command of the situation before the Romulan de-cloaks to fire her final, crippling shot! Yes, I just mixed my TOS/TNG references.

Isn’t that how it should be? No surprises? Pre-determined workflows kicking off to protect my assets. Computers doing what computers do best, the manual, tedious tasks we don’t want to do so we can concentrate on the bigger issues like how many people are following you on Twitter? (1,462 but who’s counting)

So, as we come full circle and you’re now considering running that report on Amazon purchases over the past year and catching up with Star Trek on Netflix, remember that these Risk Scores are not calculated by the guy with a corporate credit card and a need for a web server.

And I would hope you’d agree that doing this in the physical world is MUCH harder. The automation capabilities of the virtual/cloud infrastructure can really enable security to work in a more measurable, consistent and adaptive way. The bad guys are adapting all the time.

Thanks for reading. Please comment. I’d love to hear feedback. I’d especially like to hear dissenting views. After all, I’m not a dyed in the wool security guy. I don’t wear a red shirt.

mike
(Not Lt. Expendable)

Securing Virtual Desktops with Brian Gracely & TheCloudcast.Net

On Thursday, Feb 9th, I drove from RSA HQ in Bedford, MA to EMC HQ in Hopkinton to spend some time with Brian Gracely (Twitter:@bgracely)and do a podcast and whiteboard session on security and virtual desktops.

Brian is the Director of Technology Solutions and Strategy at EMC and one of the co-hosts of TheCloudcast.(NET) along with Aaron Delp. (Twitter:@aarondelp) If you haven’t heard of The Cloudcast you’ve been missing out! It’s a wealth of knowledge sharing with some of the real leaders in the virtualization and cloud space.

This was my second time on The Cloudcast. My first time was as part of a panel at VMworld 2011 where I discussed vCloud and security with Brian, Aaron and VMware’s Chris Colotti, (Twitter:@ccolotti) a vCloud rockstar.

I really enjoy these social media opportunities! I like sharing knowledge but more than that, I like hanging out with people smarter than me. It really raises my game and gets the creative juices flowing!

Out of discussions like this I’ve come up with novel ways to solve problems, opened my eyes to a different way of thinking and even came up with a patent application that I’m hoping to be able to talk about soon.

In our discussion, Brian and I built upon some of the points I made in a previous blog posting on Virtual Desktops and Security. Take a moment to read that and then listen to the audio and check out the video whiteboard.

So, without further adieu, I’d like to redirect you over to our podcast and video on Securing Virtual Desktops and my thoughts on Bring Your Own Device (BYOD).

Securing Virtual Desktops TheCloudcast.(NET)

I hope you enjoy it as much as we did making it and that it helps you in your virtual desktop strategy. If you have questions, reach me on Twitter or send me an email.

Thanks!

mike
@mikefoley

Virtual Desktops and Security–Leverage, Control, Enable

First, IMHO, VDI is not like the virtualization of servers where I consolidate 100 servers into 10 boxes and come out being a hero to finance because I saved $70k in A/C and electricity. The cost savings are not as blatant (and easy) as that.

Instead, in my view, VDI is an enabling technology for governance, risk and compliance. Primarily because the desktop infrastructure is now off of desktop/laptop hardware and back under control of the datacenter. This infrastructure gives me unparalleled visibility into the goings on. I can more easily monitor traffic and actions, control access and respond to bad things. I can now protect my desktops with datacenter class security.

With other technologies like vShield, I can now group VM’s in a way that aligns with the business and apply/enforce policies accordingly. eng-finWith vShield’s new Data Security feature, you are now leveraging the RSA Data Loss Prevention engine to audit your virtual machines.

For example: I can assign policies at the group bases so that the Engineering group will be scanned for PCI data and if found, it will be reported. But the finance folks, because they are trained in PCI, will only be audited. As I add new VM’s to the groups, the VM’s will fall under the appropriate policies with no special configuration. Consistency!

Leverage

Last year I talked with a customer in a government agency about VDI and security. They had a requirement that every time an analyst logs into a desktop, that the desktop was “fresh”. With VDI, that’s easy.

  • The analyst logs into a fresh desktop cloned from a gold master.
  • At the end of the shift, the desktop is moved into a different pool for forensic analysis
  • A new desktop is provisioned.

All easily automatable/scriptable and orchestrated (and you know how much I like automating things!). Because it’s all automatable, you can now do things in a consistent manner. Inconsistent events and actions will be easier to spot and react. And because all of these events are logged and processed by a SIEM I’ve now got a step up on when things DO go wrong!

Control

What this also did for the customer was shrink their window of vulnerability. How so? Well, the desktop was fresh at every shift change. The timeframe for which malware could get a hold was shrunk from weeks/months/years to an 8 hour shift. With 88% of corporations having systems infected with trojan’s and not knowing about them, this can really help mitigate bad stuff lying around!

Enable

VDI is also an enabling technology in that I, as the IT guy, can embrace new trends quicker with less risk. Look how fast the iPad has become part of the enterprise? You only have to Google “iPad Enterprise Adoption” and see study after study on this increasing trend. For example, I was talking with a customer who wanted to replace all corporate laptops for their thousands of field people with an iPad + Virtual Desktop. The key driver for this was that customer data would never resided on the endpoint. If the iPad was lost or stolen, no worries. Go expense a new one and get back to work.

In terms of inter-office usability, consider the situation where your corporate laptop has been infected (don’t let your 15yr old son use it. EVER!) and now, instead of 2 days of re-imaging downtime, the IT guy hands you a thin client and you’re back to work in minutes.

What if you lost your laptop? Well, because your only access to sensitive data is through your virtual desktop and isn’t allowed on an endpoint device like a laptop, the loss of the laptop may not need to be reported to regulatory authorities. Google “Stolen Laptop Data Breach”. And for those that say “but our laptops are encrypted!”, well, only 30% of you are doing that according to a study at the Ponemon Institute funded by Intel.

Back to work in minutes, no regulatory reporting for a stolen laptop. How does Finance measure that productivity gain/potential corporate risk?

In closing

VDI isn’t for the faint of heart nor is it for everyone. However, with the capabilities available today, you can use it to really get back the control you had back in the timesharing days (I miss you VMS!) while being flexible to adopting new technologies in a more secure way.

I’m a huge fan of VDI. I’ve been using it now for well over a year and wouldn’t give it up. I have my personal MacBook Air laptop and the only corporate info on it is some non-NDA presentations. All other EMC “stuff” is done on my VMware View desktop. This keeps that nice separation between what’s mine and what EMC’s very clear. And yes, the SSD in the Air is encrypted with FileVault!

Finally, when it comes to security, it’s no longer sufficient to just run ON a virtual platform. For security to move to the next step, it has to leverage these inherent capabilities that are presented to it. You can start today by considering a virtual desktop strategy. Just don’t forget the security tools!

Thanks,

mike