I have spoken and written quite a bit on the delegate user problem facing cloud and virtual environments. It is a growing problem, as we delegate actions from logged-in users to service accounts to implement changes on our systems. Any system, for example, that proxies administrative requests suffers from the delegate user problem. In essence, when we go to determine who did what, when, where, and how, forensics leads us to a delegate user or service account. We do not know beyond a shadow of a doubt who the user really was. We can correlate multiple log files, and based on time we may be able to come up with a set of users who could have done the deed. However, unless only one user was involved, we just end up with a set of users. Those sets of users, themselves, can be other service accounts—other delegate users, abstracting the real user.
Articles Tagged with Audit
When to implement security and data protection practices, or even change existing ones, is all about timing, knowledge, and scope. Deciding what to implement at any particular time requires knowledge of what needs to be fixed, and also of what the future could hold. To do this properly, you need to pay close attention to the threats within your industry, understand their impact, and evaluate them based on risk. Where to obtain such knowledge is always changing, but the scope we apply the knowledge to seems to be static and not changing with the times.
On many a Virtualization Security Podcast I tend to mention that we need greater visibility into the cloud to judge whether Cloud Service Provider security measures are good enough. But why should we bother? I am not saying we should not be concerned about a cloud’s security but that we should as tenants be concerned with clouds meeting our security, compliance, and data protection policies and requirements. Will a cloud service provider ever be able to meet a specific organizations requirements as well as the cloud service providers policies and compliance?