is it an internal affair
TRANSCRIPT
1
Layer One conference
Information security in the datacenter: Is it an internal affair?
George D. Delikouras, CISM, CGEIT, C-RISK
Athens International Airport S.A. Head Information security
IT&T Business Unit [email protected]
2nd DATA CENTER INFRASTRUCTURES NETWORKING & CABLING CONFERENCE, ATExcelixi, October 12, 2012
2
Introduction
Consolidation in the datacenter is always the objective that serves cost reduction
Virtualization technology has been adopted by datacenter providers as it serves consolidation
The contemporary environment in the data center is hybrid, combining physical and virtual machines
Information security regulatory frameworks increase and affect more industries
Information security standards become analytic, specific, detailed, strict, heavy, costly yet at the same time their adoption also increases by the industry!
Solutions exist for every problem (at least we hope) The secret of keeping the costs down is well hidden in the design
phase
3
Security in the datacenter
Key findings from the industry 2010-2012
4
Key findings
• Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants.
• The virtualization platform is becoming the most important x86-based IT platform in the next generation data center.
• The combination of more workloads being virtualized and workloads becoming more mobile creates a complex and dynamic environment that will be more difficult to secure.
5
Key findings
• With extreme consolidation, the cost of maintaining the needed level of security may exceed the savings.
• Organizations can outsource the security function, but they cannot outsource the liability for failure to the provider.
• IT organizations must conduct a realistic assessment of the impact of the provider's failure on the business, and perform contingency planning.
• Organizations must be careful to realistically compare the security posture of their own data centers to those of the provider.
6
Key findings
• Most large enterprises will use private cloud services before public cloud. The security strategies chosen to secure private cloud will be key to securing public cloud.
• Third-party security assessment standards are needed to enable the broad use of public cloud services.
• Security as a service will play a major role in providing a separate security control plane for the business use of public cloud services.
7
Security in the datacenter
Virtualization in the datacenter
8
The virtualization platform
Hypervisor and VMM are privileged software levels
9
The virtualization platform
10
Workloads VS trust levels
• Currently in security-critical areas of the network, such as an organization's data center, workloads of similar trust levels may be consolidated. However, some consolidation scenarios will result in the consolidation of workloads of different trust levels and in the highest-risk case, trusted and untrusted workloads may end up being combined on the same server.
• "Can virtualization be used in the datacenter?" — which it can — but instead ask, "Should this be done?"
10
11
The datacenter (before)
12
The datacenter (hybrid)
Internet
Database activity monitoring
Firewallrouter
Intrusion prevention system
Firewall
router
FTP server
Web server
File server
e-mail server
VM 2: app2
VM 1: app1
VM 2: DB2
VM 1: DB1
13
The datacenter (fully virtualized)
14
The datacenter (fully virtualized)
15
4 big risks
Risk: Loss of separation of duties between security/network security and operations
• When external network-based security systems are used to enforce separation between datacenter trust zones, a level of Separation Of Duties (SOD)-by-default is achieved, because the functions are hosted on separate physical systems that are managed and configured by separate teams.
• Within the virtual server, the virtual server administrator who has access to the "root" ID of the privileged software levels and configuration can now alter or disable security settings, creating the potential for conflict of interest.
15
16
What can I do?
• Consolidate only similar trust levels of workloads so that SOD of security configuration and controls is minimally impacted.
• If workloads of different trust levels are consolidated, use external inspection and security policy enforcement
• Require strong authentication for privileged account access, with full auditing and logging.
• A check-in/check-out process for administrative IDs, including privileged virtual server "root“ administrators, with full auditing and logging of activities performed
• Control the ability to change security settings in the virtual server.
• Security professionals must retain the ability to quickly change settings and policies, potentially affecting the operation of critical production workloads (INFOSEC task force an & enforcement)
16
17
4 big risks
• Risk: Privileged software layers, such as hypervisors, virtual machine monitors, host operating systems, parent partitions and drivers, will contain embedded vulnerabilities that may be exploited to breach zone isolation
17
18
What can I do?
• Favor virtualization technologies that have been shown to be secure in real-world deployments over time. Newer is not better from a security perspective.
• Extend the organization's vulnerability and patch management processes to encompass the privileged layers of software in a virtual server
• Use an externally based in-line network IPS that can shield the privileged layers of virtualization software from network-based attacks.
• Prohibit and disable the loading of arbitrary code in privileged partitions
• Develop strict internal processes and controls for configuration changes of these layers, including device drivers.
• There are more low level security controls to add
18
19
4 big risks
• Risk: Security isolation between different levels of trust depends on absolutely correct configuration of the internal virtual network, including any virtual LAN (VLAN) settings, NIC bindings and information flows. Incorrect configuration could result in a compromise of zone isolation.
19
What can I do?
• Use third-party standards to baseline the configuration as the standards become available. Configuration standards are available in the physical world, but similar standards for the virtualized world are not yet available.
• Detect, log and ideally prevent unauthorized configuration changes. Alarm (or prevent) authorized changes that violate policy.
• To reduce the number of security configurations within the virtual server, the virtual server could be configured so that all traffic is sent for external inspection and policy enforcement.
• Because inter-VM traffic flows will be completely invisible to externally based network enforcement devices, virtual-server-based in-line IPS should be used to ensure no unexpected flows occur.
• Increased diligence in configuration management and change management processes provide additional oversight.
21
4 big risks
• Risk: Virtualization technologies for sharing hardware among consolidated workloads increases the impact of a DoS attack
21
22
What can I do?
• Consolidate Ensure that the virtual server is configured absolutely correct to prevent DoS: – Require dedicated/separate NICs for VM management
– Require dedicated NICs for each trust zone
– Implement processor quotas per VM
– Implement disk space quotas
– Protect system disk partitions from oversized logs and queues
– Understand that compromise of a privileged software level will be harder to protect against DoS, because it is assumed to be privileged
• Plan for "hot" standby and transfer of datacenter workloads when patching is required.
• Implement behavioral profiling and monitoring of VMs
• Avoid virtualization architectures in the datacenter that require a "parent" partition to host "child“ security workloads. The parent partition becomes a single point of failure and target for attack.
22
23
4 big risks
Conclusions:
• Just because an organization can consolidate servers and network security devices in a DMZ using virtualization doesn't mean it should.
• The decision of how much to virtualize in the DMZ must be made with a full understanding of the additional risks that are incurred.
• The cost of implementing mitigating controls must be factored into the return on investment (ROI) decision.
• Ultimately, the decision to implement mitigating controls or live with increased risks of datacenter virtualization must be made by the virtualization decision owner.
23
24
Security in the datacenter
Different styles of security for applications in public and private
data centers
25
e-services evolution
Simplified view of computing services evolution
26
3 styles of securing
A. Rely on security built into the datacenter infrastructure
B. Run your own security controls in the datacenter
C. Require all security controls to run separately from the datacenter (or cloud)
… and a hybrid approach
27
Style #1 (20%)
Depend on security built into the datacenter infrastructure For many small-medium enterprises and those where security
concerns are not a high priority, relying on the built-in security will be good enough
Public service providers will be required to provide evidence of security audits
Private datacenter operators will have to get evaluated against standards or undergo common criteria assessments and the like.
E.g. SAS 70, ISO:27001, FISMA, PCI Typical use cases are:
Applications that only store or process public data Small businesses that are not subject to compliance demands Private cloud applications that are well-shielded from external
access
28
Style #2 (30%)
Run your own security controls inside the datacenter For enterprises where business or threat demands put higher
priority on security, CISOs or SMs will want to use best-of-breed security technology similar to what they have chosen over the years to protect their physical computing infrastructure and services. It is typical to meet virtual editions of their preferred s/w (e.g. virtual firewalls, IPS, DLP, anti-malware)
Typical use cases are: Public cloud applications that are consuming infrastructure as
a service (e.g. state authorities servers, VDI) Businesses under compliance regimes that have issued firm
guidance for security in virtual environments (e.g. PCI) Mainstream private cloud applications that were driven by
datacenter consolidation and cost reduction
29
Style #3 (20%)
Keep security separate from the datacenter/cloud This style dictates that APIs and Web services interfaces be used
to force all sensitive VM-to-VM communication to flow to external security controls (e.g. VMsafe API)
Typical use cases are: Government, financial services and other organizations that
have stringent security controls and low risk tolerance Businesses under compliance regimes that have not issued
firm guidance for security in virtualized environments Enterprises looking to use consumer-grade cloud services that
do not meet the requirements fro the previous 2 styles
30
Hybrid approaches (30%)
Another 30% of enterprises will use some combination of the three styles primarily integrated with their security controls outside of the cloud computing infrastructure with virtual versions running on the cloud platform.
By the 2015 time frame, leading security vendors will have developed management interfaces and APIs that will allow seamless mixing and matching of stand-alone controls and virtualized controls as there will always be scenarios where both are required.
31
Security level VS Security style
Low Medium High
Public datacenter
• Security built into the datacenter is used
• Statement on auditing standards or security certification sufficient
• Third party security running in the datacenter is used
• Custom/industry security assessment is performed
• Security is performed outside the datacenter or cloud
• No trust of the cloud
Private datacenter
• Security built into a VM is used
• Accept vendor security claims
• Third party security running on VM is used
• Certification / accreditation assessment is performed
• Security is performed outside the VM
• Security product certification
Matching the security level of application to the datacenter security style Source: Gartner 2010
32
Network security control vendors
• Altor Networks, which was formed by former Check Point employees acquired by Juniper in 2010 developed the world’s first firewall purpose-built for virtual networks
• Apani, which offers identity-based network access control within virtualized environments
• Catbird V-Agent, which offers Snort-based IDS/IPS, network access control (NAC) and vulnerability assessment
• Check Point, which released its virtual firewall in 2008 and is working on the next generations
• Enterasys, which has IPS capabilities supported as a VM monitoring the virtual network
• IBM, which released its Virtual Server Security for VMware virtual appliance in December 2009
33
Network security control vendors
• McAfee, which acquired Secure Computing in late 2008 and offers its firewall/IPS combination as a virtual appliance
• Microsoft, which released a virtual appliance version of its ISA Server in 2008
• RedCannon, which offers a virtual appliance solution providing firewalling, IPS and VM policy enforcement within virtualized environments
• Reflex Systems' Reflex Virtual Security Appliance (VSA)
• Sourcefire, which has announced a virtual appliance implementation of its RNA and Snort-based IPS offerings
34
Security as business enabler
Athens International Airport, Air Traffic Control complex
35
Security is about CI&A
Athens International Airport, night view from western runway
36
Athens International Airport S.A.
Thank you for your attention!
George D. Delikouras
CISM, CGEIT, C-RISK
Athens International Airport S.A. IT&T Business Unit