Christmas is over and New Years is on its way. A time to make resolutions and see the year complete. A time to review what is old and plan for the future. This is a perfect time to review your defense in depth and look to see if there are security additions needed in 2012. So what cloud and virtualization security New Years resolutions should I make for 2012?
First we need to know what is available, and what aspect of cloud and virtualization security we need to consider. Perhaps we actually should consider everything, but that is one mighty big resolution. So we can take everything in steps from the no-cost steps through various security tools to educating all involved with cloud and virtual environments.
There are the classic no cost steps that everyone must take, that have been discussed at length:
- Realize that data does not always leave a virtual environment when talking from VM to VM, that visibility into this environment is required.
- Segregate and separate your management constructs from your workloads.
- Realize that hardening guides are only part of the solution, defense in depth is required
- Form a Cross-Functional Team to review all things Cloud or Virtualization
There are standards to employ:
- DISA STIG for ESX v3.x (however there is nothing yet for ESX v4 or v5 so you must apply existing practices such as the VMware Hardening Guide, PCI DSS 2.0, or CISSecurity guides)
- CISSecurity Guide for vSphere v4
- VMware Hardening Guide for vSphere v4
- PCI DSS 2.0 guidance for virtual and physical environments
There are the classic extension of you existing physical security tools:
- If you use Cisco gear, look at the Cisco Nexus 1000V + VSG combination
- If you use Juniper gear, look at the Juniper vGW (formally Altor)
- If you use Tipping point gear, look at Reflex Systems vTrust
- If you use Checkpoint gear, look at Checkpoint’s virtual firewall
- If you use IBM gear, look at IBM VSS
There is also the classic requirements for Firewall, IDS, IPS, Compliance, and Remediation:
- For automated remediation of compliance and other violations you will want to consider Catbird, Reflex Systems VMC + vTrust
- For Compliance you may wish to look at VMware Configuration Manager, HyTrust, Catbird, Reflex Systems, and Juniper vGW
- If you want to look at a classic firewall with IDS/IPS you will wish to consider Reflex Systems, Vyatta, Trend Micro, Catbird, Juniper vGW, Checkpoint, VMware vShield (no IDS/IPS yet), and many others
For classic Anti-malware requirements there are:
- For offloading anti-malware there is Trend Micro Deep Security
- For virtualization aware technologies there is Trend Micro Deep Security, Symantec, McAffee, and others
For Data at Rest and movement between clouds security:
- You will wan to look at Afore Technologies
For offloaded Security as a Service:
- Zscaler offloads anti-virus, anti-malware, DLP, and many other security functions
- Cloud Passage offloads firewall management within Amazon EC2 and other clouds
- Trusteer offloads certificate management for critical systems
The list goes on from here, with many tools being repeated in each category. The savvy cloud and virtualization administrator and security administrators will realize that there is just not one tool and that they will need to run a combination of tools and practices to implement security policies.
2011 saw a growth in virtual environment security, however what I see in the industry is an increased need to just do the basics. The low hanging fruit that starts with virtualization and cloud architecture. A need to still educate everyone about the issues surrounding virtual environment security. There is a need to improve security folks understanding of cloud and virtual environments. These educational processes must continue, consider some of the courses on Virtual Environment Security and you will see just how easy it is to attack a badly architected environment. Course from:
- SANS‘ Virtualization and Private Cloud Security
- Data-Sentry Inc.’s Hacking Uncovered:VMware® (5 days) (Advanced VMware Security)
- RSA Conference
- InfoSec World
- and many others
It all starts with knowledge, knowledge that there are no longer any bastions, that defense in depth is a requirement, and that we need to protect our data as it moves around our virtual environments, hybrid clouds, and into and out of the various clouds we use today, such as Salesforce, Dropbox, Google, Twitter, etc. etc. The list is nearly endless as such we need to consider how we access this data (from our hand held devices), how we access this data (mostly in cleartext or easily broken SSL connections), and how can we protect our data. Perhaps we should all add a simple resolution to our new year’s list:
I resolve to review where our data goes, how best to protect our data, and how to maintain security where the bastion has moved to the data.