When we look at the secure hybrid cloud, the entry point to the hybrid cloud is the end user computing device, whether that device is a tablet, smart phone, desktop, laptop, google glass, watch, etc. We enter our hybrid cloud from this device. From there we spread out to other clouds within our control, clouds outside our control, or to data centers. How these devices authenticate and access the data within these various places within the hybrid cloud becomes a matter of great importance and has been a concentration for many companies. How we protect the data that ends up on the end user computing device is also of great importance.When we look at the secure hybrid cloud we need to understand all the different aspects of the hybrid cloud, once we understand that we then have an understanding of what data could be accessed from and perhaps end up residing upon the end user computing device as well as the possible identities used for authentication by those devices. As such we use figure 1 (secure hybrid cloud) to guide our discussions.
There are three parts to our secure hybrid cloud that are of interest:
- Transition – The transitional component of a secure hybrid cloud contains all those items that either allow access to or move data between multiple cloud instances, between those clouds and a data center or centers, and between the end user computing device and clouds and data centers. The transitional component is fairly fluid.
- Cloud – The Cloud includes all those places outside our immediate control where data could end up or be taken from. In some cases even used to further our transitional goals.
- Data Center – The data center is generally with in our control and could be a private cloud or just a collection of virtual and physical machines, the data center may transfer data between multiple data centers or back and forth to the cloud.
End User Computing – At a Conference
When we talk about end user computing and the secure hybrid cloud we generally start talking about various forms of end point security that depend heavily on the device in use, but we also need to be cognizant of the identity one uses from the end user computing device, where data shall reside, and where it will flow. In many cases, we need to worry more about the data than anything else. However, since End User Computing is the entry point we tend to contend with its security over the others. During the 6/27 virtualization security podcast, we were joined by Simon Crosby and Tal Klein of Bromium to discuss just this in the concept of practical experience while at a conference. Out of that podcast came several tips:
- When using a bluetooth keyboard, never use it to enter passwords, use on screen keyboards for this if possible
- Never access a USB device that is outside your control, such as those handed to you by vendors
- Always charge your end user computing devices (tablets, smart phones, etc.) using a charging brick and not a USB charging station or some one else’s laptop or device.
- Have a back up means to access the internet such as a MiFi as conference wireless is often under attack
- Be wary when using 3G, 4G, and LTE devices as those devices may be routing through the conference wireless just to gain capabilities
- Always use pre-shared certificates for your VPN or SSL connections
- Do not not trust the conference DNS servers, have a handy list of IP Addresses and destinations available for your VPN and other crucial sites.
- When you use a VPN be cognizant that once you access the VPN not all traffic may route through the VPN, it is far better to bring up a remote system (only accessible via VPN) to access items on the other side of the VPN.
and many other suggestions on how to be safe at a conference. Many of these suggestions talked about defense in depth as an old way of looking at things, but defense in depth is not about multiple walls around your data but understanding how your data is accessed and the protections needed.
End User Computing – Security Tools
To that end there are some tools that could be of use for end user computing:
- Bromium – Bromium provides a unique security tool for windows based devices. Bromium’s goal is to isolate access to just the data in question and not to the actual operating system under neath. In this way, it stops the spread of malware. Each action from opening a VPN, to accessing a website over that VPN is held within its own micro-virtual machine completely within the realm of hardware. In this way if one micro-virtual machine is infected no others are infected. Therefore limiting the impact of malware on Windows based systems such as laptops but not windows based virtual machines. Bromium cannot yet run within a virtual machine as it needs direct access to the underlying hardware hypervisor controls.
- Symantec Critical System Protection – Symantec CSP approaches end point security by implementing a form of mandatory access controls around applications that we use on a daily basis to access our networks. While Symantec CSP. Mandatory access controls allow policy to drive how applications access data such as over specific ports, specific file systems, and at the same time sandbox any applications within a cocoon of access control. Symantec CSP will work within virtual machines as well as physical hardware.
- VMware Horizon Mobile – Horizon Mobile from VMware provides a mobile hypervisor with a virtual machine or mobile container for critical data that resides on mobile devices such as smart phones and tablets. The mobile virtual machine (Andriod) or mobile container (Apple) are encrypted and have access to select applications outside the applications normally installed upon the device. The goal is to limit the cross contamination of business vs personal data on our mobile devices. With the mobile container or virtual machine, Horizon Mobile can impose some level of mobile device management and application management on just a part of all data on the device.
- Trend Micro Mobile Security – Trend Micro’s mobile security includes 4 main components: malware scanning, mobile device management, mobile application management, and data loss prevention. It does all this from a single management console. While malware scanning on a mobile device sounds in effective there are often SMS and other messaging technologies that could be disruptive and for known items, the approach alleviates those concerns. However, for unknown malware, it can be fooled. So they have also bundled in mobile device management to allow control over a device with security settings that are not often set by the user. Data loss prevention includes the ability to remote wipe, etc. The owners of the device shift security control over to the Trend Micro Mobile Security management team.
- MobileIron – Unlike Trend Micro, MobileIron’s mobile device management control is opted in by the end user and can be opted out of at any time or for a certain time period. If we opt-out we may loose access to data and applications but end users once more gain control of their own devices.
There are many other tools for securing the end user computing device from anti-malware/anti-virus vendors, as well as from other security companies such as installable firewalls specifically designed for an OS or specific use. Many of these are the same as we use today but virus’ and malware still get in. The ones mentioned are designed to limit access even for unknown-unknown virus and malware. Trying to protect us from the bad actor, we may need multiples of these tools depending on the end user computing devices in use. If we can protect the end point we can protect the data on that end point which comes from all over our secure hybrid cloud through various agents and applications.
So what tools do you use to protect your end user computing device?