Category: vShield

Checkbox Security

 

Is security something that you feel you HAVE to do? Are you doing the bare minimum required by your auditor? Are you “Checking the box”?

In my role as Virtualization Evangelist, I seem to talk to mostly IT people. I endeavor to educate them on using VMware infrastructure as a layer (or multiple layer) of defense in depth. I spend a LOT of time trying to connect the dots between security and IT. I keep running into the same issues over and over.  The attitude of “I’ve got a firewall and AV so I’m ok” is pervasive.

Newflash: You’re not OK. Just ask your security guy.

There are a lot of really nasty people out there who are trying hard to get at your stuff. Firewalls are porous and AV, well, it’s not going to help you with a zero day attack. I’m not knocking firewalls and AV. They most definitely have their place as part of the “Defense in Depth” story. Just pointing out that they can’t be your ONLY solution.

Checking the Box

Sure, you can implement all the stuff that you HAVE to to check the box. You may even get the thumbs up from your auditor that you’re “Compliant”! But are you SECURE? Are you protecting the assets of the business or just covering the assets? (Read into that what you will :))

What’s needed is a sea-change in approaching security. Using every asset at your disposal is critical. With the changes coming in VMware vSphere V5.1, you’ll now have more security tools at your disposal. For example, in all editions of vSphere V5.1 is the inclusion of vShield Zones and Endpoint, providing you the ability to manage your firewalls at the vNIC level, providing increased isolation between VM’s. This is a great first step in being able to use firewalls and AV at scale.

Also, and here I go again, you need to leverage automation. Measurement of critical assets and those measurements feeding into a GRC solution like RSA Archer can help you wrap a workflow around things that need to be fixed and track if/when they do get fixed. It’s critical that the IT organization work with security by providing them the data they need to provide better security with minimal impact to the business.

What I present to customers

As I call out in my recent presentation, “Understanding the Measured Risks of Cloud Security”  this attitude of securing with just a firewall isn’t good enough. Also read the blog post “The Palace of Harmonious Virtualization” as well

I want to hear from you!

What I’d love to hear from is customers that ARE using the virtual infrastructure to provide new ways of securing their environments. Reply here or send me an email. I’d love to showcase some of your thoughts as well.

Thanks,
mike

Virtual Desktops and Security–Leverage, Control, Enable

First, IMHO, VDI is not like the virtualization of servers where I consolidate 100 servers into 10 boxes and come out being a hero to finance because I saved $70k in A/C and electricity. The cost savings are not as blatant (and easy) as that.

Instead, in my view, VDI is an enabling technology for governance, risk and compliance. Primarily because the desktop infrastructure is now off of desktop/laptop hardware and back under control of the datacenter. This infrastructure gives me unparalleled visibility into the goings on. I can more easily monitor traffic and actions, control access and respond to bad things. I can now protect my desktops with datacenter class security.

With other technologies like vShield, I can now group VM’s in a way that aligns with the business and apply/enforce policies accordingly. eng-finWith vShield’s new Data Security feature, you are now leveraging the RSA Data Loss Prevention engine to audit your virtual machines.

For example: I can assign policies at the group bases so that the Engineering group will be scanned for PCI data and if found, it will be reported. But the finance folks, because they are trained in PCI, will only be audited. As I add new VM’s to the groups, the VM’s will fall under the appropriate policies with no special configuration. Consistency!

Leverage

Last year I talked with a customer in a government agency about VDI and security. They had a requirement that every time an analyst logs into a desktop, that the desktop was “fresh”. With VDI, that’s easy.

  • The analyst logs into a fresh desktop cloned from a gold master.
  • At the end of the shift, the desktop is moved into a different pool for forensic analysis
  • A new desktop is provisioned.

All easily automatable/scriptable and orchestrated (and you know how much I like automating things!). Because it’s all automatable, you can now do things in a consistent manner. Inconsistent events and actions will be easier to spot and react. And because all of these events are logged and processed by a SIEM I’ve now got a step up on when things DO go wrong!

Control

What this also did for the customer was shrink their window of vulnerability. How so? Well, the desktop was fresh at every shift change. The timeframe for which malware could get a hold was shrunk from weeks/months/years to an 8 hour shift. With 88% of corporations having systems infected with trojan’s and not knowing about them, this can really help mitigate bad stuff lying around!

Enable

VDI is also an enabling technology in that I, as the IT guy, can embrace new trends quicker with less risk. Look how fast the iPad has become part of the enterprise? You only have to Google “iPad Enterprise Adoption” and see study after study on this increasing trend. For example, I was talking with a customer who wanted to replace all corporate laptops for their thousands of field people with an iPad + Virtual Desktop. The key driver for this was that customer data would never resided on the endpoint. If the iPad was lost or stolen, no worries. Go expense a new one and get back to work.

In terms of inter-office usability, consider the situation where your corporate laptop has been infected (don’t let your 15yr old son use it. EVER!) and now, instead of 2 days of re-imaging downtime, the IT guy hands you a thin client and you’re back to work in minutes.

What if you lost your laptop? Well, because your only access to sensitive data is through your virtual desktop and isn’t allowed on an endpoint device like a laptop, the loss of the laptop may not need to be reported to regulatory authorities. Google “Stolen Laptop Data Breach”. And for those that say “but our laptops are encrypted!”, well, only 30% of you are doing that according to a study at the Ponemon Institute funded by Intel.

Back to work in minutes, no regulatory reporting for a stolen laptop. How does Finance measure that productivity gain/potential corporate risk?

In closing

VDI isn’t for the faint of heart nor is it for everyone. However, with the capabilities available today, you can use it to really get back the control you had back in the timesharing days (I miss you VMS!) while being flexible to adopting new technologies in a more secure way.

I’m a huge fan of VDI. I’ve been using it now for well over a year and wouldn’t give it up. I have my personal MacBook Air laptop and the only corporate info on it is some non-NDA presentations. All other EMC “stuff” is done on my VMware View desktop. This keeps that nice separation between what’s mine and what EMC’s very clear. And yes, the SSD in the Air is encrypted with FileVault!

Finally, when it comes to security, it’s no longer sufficient to just run ON a virtual platform. For security to move to the next step, it has to leverage these inherent capabilities that are presented to it. You can start today by considering a virtual desktop strategy. Just don’t forget the security tools!

Thanks,

mike

The missing note from the vShield 5 docs

Every IT guy (or gal) has, at some point in their career called a friend for a lifeline when they’ve gotten stuck. And invariably, every one of us has had that friend look at our problem and say something like “Did you plug it in?”

I had one of those moments today.

You see, I’m rebuilding my lab with vSphere 5, vCloud 1.5 and vShield. I decided to go directly by the documentation (for a change!) as a learning exercise. I ran into a problem with vShield. It drove me batty. I couldn’t get VM’s to either talk to each other or to outside resources like DNS, gateway or DHCP.

Now, this was seriously getting on my nerves, I reviewed everything, I read docs, I read blog articles. I just couldn’t for the life of me find out what was wrong! What did I miss?

It was time to call in my lifeline, Rob Randell from VMware. Rob lives and breathes this product and I’ve worked closely with him on all sorts of security/VMware related stuff. If anyone could figure it out, it would be Rob.

We connected this afternoon over Webex. We stepped thru a few things, looking at settings and such. Then Rob asked me to bring up the vCenter client and asked me “Why are the vShield App VM’s not powered on?”

<facepalm><Homer D’oh!> Yea, I just go bitten by the bug we all run into. The inability to see the obvious. <insert excuse here> My schedule lately is so crazy that I’ve been doing this in fits and starts and not practicing my usually good troubleshooting skills. <\excuse>

After powering on the VM’s, network traffic started flowing and all was right with the world! I talked to Rob and said that there really should be a note in the documentation. Not a note saying “Did you power up the VM’s?” but to set the auto start settings on the ESXi hosts.

As best practices for vShield, I installed, and you should to, the vShield App and Edge VM’s to local storage on the ESXi hosts. But what I failed to do was set the VM’s to auto start on the host and after a reboot, I forgot to power on the VM.

So, click on the host in the vCenter client, click on Configuration and Start/Stop Settings. Ensure the VM is in the auto-start list. I also set the shutdown action to “shutdown” and not “power off”. I also set the power-on time from 120 seconds to 15 seconds to ensure my networking wasn’t out for some period of time after host power-on.

I’ll be sending a pointer to this blog to the vShield product management team in hopes that this one simple documentation note will help you not encounter the techie embarrassment of being asked “Did you plug it in?”

Thanks for reading.

mike