We’ve been thinking about cloud a lot. My goal is to help demystify security in a virtual environment.
What are we doing with cloud computing?
There are still servers, storage, networking, software, and security. We’re really just implementing them in different ways. Rather than having file servers at every location we are centralizing our data (again as we did 20 years ago). Instead of having multiple physical servers we are virtualizing our servers. We’re even centralizing our client computing with a single instance of an OS across the network.
All I have to say is it’s pretty sweet. I’m a huge fan.
It is much easier for us to secure our data when we know where it is. I’d say that’s a pretty good start. Much easier than multiple people editing a file that is on their desktop, a local file server, a central file server, and ten other people’s desktops.
I think we’d all agree (and judging by VMware revenues we can quantify this) that virtualization rules. We save on bare metal, power, cooling, administration, memory, CPUs, well…we all know. If you have already started virtualizing servers you also know that the chassis become an entire network ecosystem. Almost like a little network island within your private cloud.
One of the most fundamental security mechanisms we use are firewalls. When the packets from one virtual machine to another don’t leave the chassis how do you enforce least privilege between hosts. In fact this similar scenario is present on a LAN switch too.
Think about it, if you have two servers in your DMZ that are numbered in the 192.168.1.0/24 subnet they can freely talk to each other unless a host based firewall is installed. The same goes for Network Intrusion Prevention Systems. If there is a NIPS between your LAN or DMZ switches and the network firewalls, how will traffic get inspected between these virtual hosts if the traffic is not leaving the chassis? Well if you guessed it doesn’t, you win a prize which just happens to be the answer to that question. 😉
So we have two standard network security technologies that are simply ineffective when traditionally deployed in a virtual environment.
And what about the virtual hosts that are running? We can put traditional endpoint anti-malware software on the systems. Something we’ve noticed is that if all of the systems are running scans or updating at the same time, the actual chassis runs out of IO! I suppose it’s not really that surprising.
There are several point products that can be deployed from several different vendors to resolve most of these issues. Having been in operations for the last ten years I understand total cost of ownership is almost more important than the initial capital expenditures. If I can minimize the number of management systems that need to get managed, minimize the number of management systems the operations teams will need to monitor, and be able to establish better relationships with less vendors,
Trend Micro has developed a solution that was proposed by VMware. They took the requirements and have a virtual appliance solution to address all of these issues (and more). We highly encourage you to investigate this solution.
There are a lot of these virtual environments being deployed and we are not paying enough attention to the fact that our standard tools are simply not effective. A more in-depth look at filling the security gaps can be found in our next post.