Virtualization and Cloud Security architects, pundits, and writers like myself often talk about protecting the data within the virtual and cloud environments. However, in order to protect that data we need to be able to determine how the data will be used, accessed, modified, and eventually removed. So, how can we understand data security without understanding the application around it. But there is an even more fundamental problem, how do we define the application and the security measures we should take?
Let us investigate the security requirements of the rather complex interactions in the application depicted in Figure 1, which was captured from VMware Infrastructure Navigator (VIN). As we can see data will flow between multiple tiers easily seen in Figure 1. The left most Virtual machines are the web front end, then some middle-ware, a database, and some level of back end processing.
What the application does is also important to understand or is it? We need to know how the data is passed between the application components, and what the application components do with at data before passing it on to other components. However, even though VIN can assist us with network connections between application components, it cannot tell us what is happening on the storage, or even between the VMs when a non-networking path is taken for communication. Networks are not the only attack vector, just one of the more popular vectors.
Since security depends on maintaining the confidentiality, integrity, and availability of the data, we can look at Figure 1, and attempt to determine the weaknesses in the data flow?
- All Data Flows to or from the database
- There are 4 different communication tools in place (IIS, Apache Tomcat, Rabitt MQ, VMware vCenter)
- We know that MS SQL, IIS and Apache store data on disk
- We know that configuration files for all layers are stored on disk
- We do not know if there is any Inter-VM communication using non-network means
- We do not know where the disks for each VM is stored
So what can we surmise from this complex application?
- MSSQL uses a clear text protocol
- IIS, Apache Tomcat can use encrypted protocols
- There is no-central communication hub such as the database
How would we protect this application?
There is the rub, if we concentrate on the ‘data’ we would need to do the following:
- Encryption or digital signatures of data at rest
- Encryption or digital signatures of data in motion
But since we cannot control how the data is passed between all the components, we need to think more about the application as a whole and not just the data. So we would be tempted to do just the following:
- Harden each component and virtual machine of the application separately
- Encrypt data at rest within the database virtual machine
But is that enough? In short, no. It is a good start, but not sufficient, given current virtualization and cloud security techniques we can do so much more. For example we can do the following:
- Implement firewalls before the application and perhaps between critical layers (tiers) of the application (vShield Edge, Catbird, Vyatta, Palo Alto, etc.)
- Use Introspective Firewalls to ensure only acceptable layer-3 traffic is allowed between specific VMs. I.e. If a VM should only talk to VMware vCenter and MS SQL, then it should only be allowed to talk to those and only those other VMs over the specified protocols. (vShield App, Trend Micro Deep Security, Reflex Systems vTrust, Juniper vGW, Checkpoint, etc.)
- Use Introspective Anti-Virus scanning to ensure that the front-end servers at the very least have not been infected (Trend Micro Deep Security, Kaspersky)
- Use Introspective disk scanning to ensure personal and private information is not stored on VMs where it should not be stored (vShield Data Security)
- Ensure only the proper people can manage each component (HyTrust)
The tools to implement all these vary based on vendors, but they all use similar technologies. However, none of these tools yet look at the application as a whole. I.e. protect this multi-tiered application. Instead, they look at each of the components separately. It would be very cool if one of the virtualization security vendors could look at the application and protect the application with predefined set of rules and requirements.
So what is the application depicted? It is a vCloud instance with monitor tools added. An application, is not just the well known ones such as Oracle SAP, but however your business defines them. So common Applications that are prevalent these days in a virtual and cloud environments are:
- Virtual Desktops (desktops as well as management components)
- Cloud Instances (management components)
- Mail Services (data + middleware + management components)
- Web Services (data + middleware + management components)
- Database services (data + middleware + management components)
As you can see, the definition of an application depends mostly on how the service is presented, but can easily be comprised of three things: the data, middleware, and management components. We need good security for all, and not just for one aspect of the application.