Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Is it an internal affair
1. Layer One conference
Information security in the datacenter:
Is it an internal affair?
George D. Delikouras,
CISM, CGEIT, C-RISK
Athens International Airport S.A.
Head Information security
IT&T Business Unit
george.delikouras@aia.gr
2nd DATA CENTER INFRASTRUCTURES NETWORKING & CABLING
CONFERENCE, ATExcelixi, October 12, 2012
2. Introduction
Consolidation in the datacenter is always the objective that
serves cost reduction
Virtualization technology has been adopted by datacenter
providers as it serves consolidation
The contemporary environment in the data center is hybrid,
combining physical and virtual machines
Information security regulatory frameworks increase and affect
more industries
Information security standards become analytic, specific,
detailed, strict, heavy, costly yet at the same time their adoption
also increases by the industry!
Solutions exist for every problem (at least we hope)
The secret of keeping the costs down is well hidden in the design
phase
3. Security in the datacenter
Key findings from the industry
2010-2012
4. Key findings
• Virtualization is not inherently insecure. However,
most virtualized workloads are being deployed
insecurely. The latter is a result of the immaturity of
tools and processes and the limited training of staff,
resellers and consultants.
• The virtualization platform is becoming the most
important x86-based IT platform in the next
generation data center.
• The combination of more workloads being virtualized
and workloads becoming more mobile creates a
complex and dynamic environment that will be more
difficult to secure.
5. Key findings
• With extreme consolidation, the cost of maintaining
the needed level of security may exceed the savings.
• Organizations can outsource the security function, but
they cannot outsource the liability for failure to the
provider.
• IT organizations must conduct a realistic assessment
of the impact of the provider's failure on the business,
and perform contingency planning.
• Organizations must be careful to realistically compare
the security posture of their own data centers to those
of the provider.
6. Key findings
• Most large enterprises will use private cloud services
before public cloud. The security strategies chosen to
secure private cloud will be key to securing public
cloud.
• Third-party security assessment standards are needed
to enable the broad use of public cloud services.
• Security as a service will play a major role in providing
a separate security control plane for the business use
of public cloud services.
10. Workloads VS trust levels
• Currently in security-critical areas of the network, such
as an organization's data center, workloads of similar
trust levels may be consolidated. However, some
consolidation scenarios will result in the consolidation of
workloads of different trust levels and in the highest-risk
case, trusted and untrusted workloads may end up being
combined on the same server.
• "Can virtualization be used in the datacenter?" — which
it can — but instead ask, "Should this be done?"
12. The datacenter (hybrid)
Internet
Database activity monitoring
Firewall
router
Intrusion prevention system
Firewall
router
FTP server
Web server
File server
e-mail server
VM 2: app2
VM 1: app1
VM 2: DB2
VM 1: DB1
15. 4 big risks
Risk: Loss of separation of duties between security/network
security and operations
• When external network-based security systems are used to enforce
separation between datacenter trust zones, a level of Separation Of
Duties (SOD)-by-default is achieved, because the functions are
hosted on separate physical systems that are managed and
configured by separate teams.
• Within the virtual server, the virtual server administrator who has
access to the "root" ID of the privileged software levels and
configuration can now alter or disable security settings, creating the
potential for conflict of interest.
16. What can I do?
• Consolidate only similar trust levels of workloads so that SOD of
security configuration and controls is minimally impacted.
• If workloads of different trust levels are consolidated, use external
inspection and security policy enforcement
• Require strong authentication for privileged account access, with full
auditing and logging.
• A check-in/check-out process for administrative IDs, including
privileged virtual server "root“ administrators, with full auditing and
logging of activities performed
• Control the ability to change security settings in the virtual server.
• Security professionals must retain the ability to quickly change
settings and policies, potentially affecting the operation of critical
production workloads (INFOSEC task force an & enforcement)
17. 4 big risks
• Risk: Privileged software layers, such as hypervisors,
virtual machine monitors, host operating systems, parent
partitions and drivers, will contain embedded
vulnerabilities that may be exploited to breach zone
isolation
18. What can I do?
• Favor virtualization technologies that have been shown to be secure
in real-world deployments over time. Newer is not better from a
security perspective.
• Extend the organization's vulnerability and patch management
processes to encompass the privileged layers of software in a virtual
server
• Use an externally based in-line network IPS that can shield the
privileged layers of virtualization software from network-based
attacks.
• Prohibit and disable the loading of arbitrary code in privileged
partitions
• Develop strict internal processes and controls for configuration
changes of these layers, including device drivers.
• There are more low level security controls to add
19. 4 big risks
• Risk: Security isolation between different levels of trust
depends on absolutely correct configuration of the
internal virtual network, including any virtual LAN (VLAN)
settings, NIC bindings and information flows. Incorrect
configuration could result in a compromise of zone
isolation.
20. What can I do?
• Use third-party standards to baseline the configuration as the
standards become available. Configuration standards are
available in the physical world, but similar standards for the
virtualized world are not yet available.
• Detect, log and ideally prevent unauthorized configuration
changes. Alarm (or prevent) authorized changes that violate
policy.
• To reduce the number of security configurations within the virtual
server, the virtual server could be configured so that all traffic is
sent for external inspection and policy enforcement.
• Because inter-VM traffic flows will be completely invisible to
externally based network enforcement devices, virtual-server-
based in-line IPS should be used to ensure no unexpected flows
occur.
• Increased diligence in configuration management and change
management processes provide additional oversight.
21. 4 big risks
• Risk: Virtualization technologies for sharing hardware
among consolidated workloads increases the impact of a
DoS attack
22. What can I do?
• Consolidate Ensure that the virtual server is configured absolutely
correct to prevent DoS:
– Require dedicated/separate NICs for VM management
– Require dedicated NICs for each trust zone
– Implement processor quotas per VM
– Implement disk space quotas
– Protect system disk partitions from oversized logs and queues
– Understand that compromise of a privileged software level will be harder to
protect against DoS, because it is assumed to be privileged
• Plan for "hot" standby and transfer of datacenter workloads when
patching is required.
• Implement behavioral profiling and monitoring of VMs
• Avoid virtualization architectures in the datacenter that require a
"parent" partition to host "child“ security workloads. The parent
partition becomes a single point of failure and target for attack.
23. 4 big risks
Conclusions:
• Just because an organization can consolidate servers and network
security devices in a DMZ using virtualization doesn't mean it should.
• The decision of how much to virtualize in the DMZ must be made
with a full understanding of the additional risks that are incurred.
• The cost of implementing mitigating controls must be factored into
the return on investment (ROI) decision.
• Ultimately, the decision to implement mitigating controls or live with
increased risks of datacenter virtualization must be made by the
virtualization decision owner.
24. Security in the datacenter
Different styles of security for
applications in public and private
data centers
26. 3 styles of securing
A. Rely on security built into the datacenter
infrastructure
B. Run your own security controls in the datacenter
C. Require all security controls to run separately from
the datacenter (or cloud)
… and a hybrid approach
27. Style #1 (20%)
Depend on security built into the datacenter infrastructure
For many small-medium enterprises and those where security
concerns are not a high priority, relying on the built-in security
will be good enough
Public service providers will be required to provide evidence of
security audits
Private datacenter operators will have to get evaluated against
standards or undergo common criteria assessments and the like.
E.g. SAS 70, ISO:27001, FISMA, PCI
Typical use cases are:
Applications that only store or process public data
Small businesses that are not subject to compliance demands
Private cloud applications that are well-shielded from external
access
28. Style #2 (30%)
Run your own security controls inside the datacenter
For enterprises where business or threat demands put higher
priority on security, CISOs or SMs will want to use best-of-breed
security technology similar to what they have chosen over the
years to protect their physical computing infrastructure and
services. It is typical to meet virtual editions of their preferred
s/w (e.g. virtual firewalls, IPS, DLP, anti-malware)
Typical use cases are:
Public cloud applications that are consuming infrastructure as
a service (e.g. state authorities servers, VDI)
Businesses under compliance regimes that have issued firm
guidance for security in virtual environments (e.g. PCI)
Mainstream private cloud applications that were driven by
datacenter consolidation and cost reduction
29. Style #3 (20%)
Keep security separate from the datacenter/cloud
This style dictates that APIs and Web services interfaces be used
to force all sensitive VM-to-VM communication to flow to external
security controls (e.g. VMsafe API)
Typical use cases are:
Government, financial services and other organizations that
have stringent security controls and low risk tolerance
Businesses under compliance regimes that have not issued
firm guidance for security in virtualized environments
Enterprises looking to use consumer-grade cloud services that
do not meet the requirements fro the previous 2 styles
30. Hybrid approaches (30%)
Another 30% of enterprises will use some combination of the
three styles primarily integrated with their security controls
outside of the cloud computing infrastructure with virtual versions
running on the cloud platform.
By the 2015 time frame, leading security vendors will have
developed management interfaces and APIs that will allow
seamless mixing and matching of stand-alone controls and
virtualized controls as there will always be scenarios where both
are required.
31. Security level VS Security style
Low Medium High
Public
datacenter
• Security built into
the datacenter is
used
• Statement on
auditing standards
or security
certification
sufficient
• Third party
security running
in the datacenter
is used
• Custom/industry
security
assessment is
performed
• Security is
performed outside
the datacenter or
cloud
• No trust of the
cloud
Private
datacenter
• Security built into a
VM is used
• Accept vendor
security claims
• Third party
security running
on VM is used
• Certification /
accreditation
assessment is
performed
• Security is
performed outside
the VM
• Security product
certification
Matching the security level of application to the datacenter security style
Source: Gartner 2010
32. Network security control vendors
• Altor Networks, which was formed by former
Check Point employees acquired by Juniper in
2010 developed the world’s first firewall
purpose-built for virtual networks
• Apani, which offers identity-based network
access control within virtualized environments
• Catbird V-Agent, which offers Snort-based
IDS/IPS, network access control (NAC) and
vulnerability assessment
• Check Point, which released its virtual firewall
in 2008 and is working on the next generations
• Enterasys, which has IPS capabilities supported
as a VM monitoring the virtual network
• IBM, which released its Virtual Server Security
for VMware virtual appliance in December 2009
33. Network security control vendors
• McAfee, which acquired Secure Computing in
late 2008 and offers its firewall/IPS
combination as a virtual appliance
• Microsoft, which released a virtual appliance
version of its ISA Server in 2008
• RedCannon, which offers a virtual appliance
solution providing firewalling, IPS and VM
policy enforcement within virtualized
environments
• Reflex Systems' Reflex Virtual Security
Appliance (VSA)
• Sourcefire, which has announced a virtual
appliance implementation of its RNA and
Snort-based IPS offerings
34. Security as business enabler
Athens International Airport, Air Traffic Control complex
35. Security is about CI&A
Athens International Airport, night view from western runway
36. Athens International Airport S.A.
Thank you for your
attention!
George D. Delikouras
CISM, CGEIT, C-RISK
Athens International Airport S.A.
IT&T Business Unit
george.delikouras@aia.gr