All about Virtualization and Cloud Security | Recent Articles:

In last post of this series, I described what a Software-Defined Data Center (SDDC) is, and asked the question, “In a SDDC environment, should security simply be treated as another layer in a software stack? If so, where should it go?” I presented the first scenario for creating Software-Defined Security (SDS), which is basically migrating security from physical to virtual, but found it lacking. Here, I’ll cover a better approach to SDS.

The next way to look at SDDC security is on a “per layer” basis. Security tools are integrated into the hypervisor layer (or compute layer), the storage layer, the networking layer, and the operating system and application layers. This extends the idea of a virtualized control model, with multiple integration points that may be collectively more capable than a single “layer”.

One of the hottest topics in IT today is software-defined networking, or SDN. SDN separates the control layer for the network from the underlying hardware typically associated with networking functionality. Applications that interact with the network are also separate, and can potentially communicate with the control plane via APIs. The control plane and hardware also communicate with emerging protocols and APIs like OpenFlow. A related concept is Network Functions Virtualization (NFV), where network capabilities like NATing, firewalling and access controls, and intrusion detection are all decoupled from the hardware, as well, usually in a virtual machine or software-based implementation.

If this all sounds confusing, it can be, so here’s the short version - hardware is a commodity, and all network controls and functions are now software somewhere else. That “somewhere else” is where things get interesting, and make for some compelling pros and cons related to security.

There is no question that the footprint of today’s data center is rapidly moving toward the virtual. This changes so many things about the way IT operations functions that we must start asking hard questions about security, continuity, and control of our data. Perhaps one of the biggest questions is this - what happens when everything is a file?

All of our virtual server and desktop instances are simply files run by hypervisors.

The trend toward Software-Defined Data Centers (sometimes abbreviated SDDC) is moving fast. Increasingly, organizations are implementing Software-Defined-Networks (SDN), systems, and application instances, with less focus on hardware-based tools and standalone software installation.

As part of an ongoing series, we’re examining the security and compliance needs and challenges in a variety of industries, and the implications for value-added resellers (VARs) and managed services providers (MSPs). In this post, we look at the healthcare sector.

Few industries (financial services being another), have been as scrutinized over data security and privacy issues as healthcare. With the advent of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, hospitals, clinics, private practices, health insurers and others in the industry have had to become super diligent about protecting patient information.

If you’ve had a few spare moments to peruse the news, and happen to do so with an eye toward IT, you’ll have heard about Shellshock. As with many a vulnerability, there are many questions, and in this post I hope to answer some.

What is the problem?

Bash (Bourne-again Shell) is a command line interpreter packaged with most Unix variants. It’s quite handy for running commands, especially when invoked from scripts. The vulnerability roughly relates to how Bash parses environment variables (used to set the context of commands). The vulnerability allows someone entering environment variables to insert arbitrary code. Instead of just setting the context of execution, Bash executes the injected commands.

In today’s highly virtualized environments, where continuous integration and deployment are the norm - it’s just impossible to manually ensure that both security and regulatory compliance controls are adequate.

With virtualized workloads, apps, and the supporting infrastructure being persistently updated, your enterprise needs automated and constant security checks to be ran in parallel. Gone are the days of running monthly security and regulatory compliance assessments. As continuous integration and deployment pipelines rapidly become the norm, rather than the exception, a fundamental shift in the way enterprises view security is essential.

But where to start the continuous security monitoring? When looking at your environment in its entirety, with an eye toward monitoring everything all of the time, it can appear overwhelming. And the reality is that you can’t start monitoring everything all at once. Choices need to be made about where to start: endpoints, servers, and applications need the most oversight?

There’s no question that the majority of organizations are virtualizing servers, and increasingly, desktops within their environments. With this shift comes a plethora of new risks. We’re getting better at porting network security platforms to a virtual format, primarily firewalls and intrusion detection and prevention systems. Encryption for virtual and cloud environments is also slowly improving. Another area that seems to be evolving is endpoint security.

In some ways, the challenges of endpoint security are more complex than some others, for a few different reasons. First, endpoint security has to scale across a larger number of systems, in many cases. In addition, traditional endpoint security products are usually agent-based, and consume significant amounts of resources (disk, memory, and CPU). This can easily throttle a shared infrastructure environment.

I recently signed up a family member for extracurricular activities, and upon arriving at a small local business, ended up in a conversation with the owner. After a few pleasantries, the usual, “where do you work” question came up. I proudly answered, and the floodgates opened with the owner asking many questions about IT and security:

 Should I use two host service providers? One for internal access? One for external access? 

 How do I protect the business, given my IT environment?  

 Should I move certain services into the cloud? If so, how do I make sure my customers are protected?

 What is virtualization and how can it help me? Does it make sense for me?

In the endpoint security world, specifically antimalware (or antivirus, depending on your definition, but more on that in another post) vendors are offering different features and architectures to address performance in virtualized datacenters. A simple question that organizations have is, “When, where, and why do I need this stuff?” Of course, as a vendor, the tempting answer is, “Always, everywhere, and just because”. However, reality is always more nuanced than the average PowerPoint presentation.

You are part of an industry leading organization with thousands of customers, but do you have a plan-B? Organizations of all budgets and sizes are looking for an efficient and reliable backup option, but without the headaches and costs of traditional disaster recovery. In this context, the cloud makes a great alternative. One of the most heavily hyped technologies of the last decade, the cloud can act as a secondary data center to help your organization recover data and systems quickly after any kind of interruption. An earthquake or an unexpected data breach might happen to you.

For the most part, corporate press releases are boring. It’s an exercise in patting oneself on the back while saying next-to-nothing of significance that IT companies are especially guilty of performing as a rote exercise. Then again, every now and then an announcement produces a reaction that stirs things up. To me, the significant parts that go unsaid in an announcement are, in exceptional cases, revealed by the reaction of others (or the lack thereof). Last week, Amazon was good enough to create an interesting example of a PR-by-reaction.

It began with an announcement from Amazon, which can be found here. The post was part of announcing the release of AWS Management Portal for vCenter. Basically, it’s a vCenter plug-in that makes it easy to lift VMs to AWS. It has some additional features, but overall, is compelling only in that it lives with vCenter. To flip that around, it’s really exciting because it’s in vCenter. It’s all in the interpretation…

As endpoints are virtualized, it is tempting to assume that everything within the endpoint is virtualized, and the job is done. Of course, performing a physical-to-virtual migration is the first step in an ongoing process of optimizing applications, the underlying infrastructure, and of course, security.

AV Storms and all the nastiness

If you have virtualized most of your servers, and are starting to optimize by raising consolidation ratios, you will have noticed that traditional antivirus software creates some nasty headaches in virtualized environments. If you have virtualized desktops, you’ll have encountered “AV storms” from the start of the project.