Symantec and others are providing more products that fill the gaps in current End-to-End Hybrid Cloud and Application Security. These solutions range to improved log analysis through multi-layer security for critical systems. If these solutions are rolled out would we finally have secure environments? But first what are the products that have come to light? Should we be focusing on the App more?Over the last 6 months or so, there has been a rash of new directions for traditional security vendors, whether that is to create a virtual appliance or more fully integrate into the underlying virtualization layers. So what are these new tools? Some I have written about before but others are new to me or more the approach is new.
- Symantec Critical System Protection (CSP) imposes multi-layer security on top of existing operating systems. While you may not want to use CSP on everything, it is well worth applying to all your critical management servers that control your virtual environment such as vCenter Server, System Center Server, XenConsole Server, or cloud services servers for VMware, Hyper-V, or OpenStack.
- Symantec, BitDefender, Kaspersky, McAffee and others are now working to provide solutions that either offline anti-virus/anti-malware scanning or provide ways to cache results for well known files, in essence reducing the overall compute time required to run a scan.
- LogLogic, LogRhythm, and Splunk have rolled out new log management tools that now know more about your virtual environment than ever before. Instead of treating vSphere, Xen, or KVM as traditional Linux hosts, they now treat them as independent types of host and provide roll up of critical failures and security issues within a virtual environment.
- Kroll Ontrack, DriveSavers, and others can now recovery virtual machine disks from corrupted filesystems and arrays.
- ZScaler, Symantec.Cloud, and other security as a service companies are growing their insight into web, email, messaging, and other attacks to combat the ever present advanced persistent threat (APT)
These are just a handful of new endeavors that aid in virtualization and cloud security. But is this enough?
In some ways not really, the best practices we have for virtual environments are all about virtual environment management and control, but we now should be looking to best practices for putting tier 1 applications into the environment. What types of defense in depth is required to virtualize these applications? Do we need more security controls and how can the application owners be made aware that there is a security issue so that incident response can be applied?
This is really where existing security policies come into play, they were hopefully not ignored during the early stages of virtualization, but the design for defense-in-depth needs to take into consideration those tools that work within the virtual environment. Let us look at a simple mail application such as Exchange. Does this run within the DMZ? If not (and usually not as there is often a SMTP gateway in the DMZ), then it should be prevented from moving from its trust zone to another (perhaps via HyTrust’s or other virtualization security software’s built-in tagging mechanisms). We would also need to harden Exchange and the Windows machines that are running Exchange as well according to the chosen standard or internal policy. In addition, we should apply the necessary virtual machine isolation settings to harden the virtual machine as best we can. Are there other best practices?
Yes, there are with Exchange and that is usually in the number of disks to be used and to what they apply, we now need to consider where those disks reside and who has access to the storage device. For some Exchange implementations, those storage devices are local to the hardware, but for a virtual environment this is hardly the case. So the storage becomes in scope for any defense in depth procedures. Perhaps we can add:
- multi-level security within the VM
- offloaded endpoint security
- agent-less data replication to a hot-site using different storage
- basic agent-less data loss prevention
- continuous assessment of the environment
- use of security as a service to weed out spam, virus, and other attacks
Virtualization can provide a different approach to creating tools, and how those tools can be implemented. But, we should never forget that we are protecting the data, and these new tools are here to help us to do this. But given that integrity and confidentiality are the hardest parts of security, we still need to know who did what when where and how, which ends up being analysis or other forms of audit controls such as Packet Motion’s packetsentry products.
Tier 1 Apps are when the security folks get serious and involved with virtualization and cloud environments. Hopefully, they were involved since day 1.