VMinformer’s consultants have spent the last 5 years researching and conducting virtualization audits. In 100% of cases organizations fail our audits because basic security controls have been ignored – time, and time again, the misconfiguration failures boiled down to human performance and behavior.

Of course, system failure due to human oversight is nothing new, so why should we be worried this time? There are several factors at play. Firstly, most people take too much comfort from the fact that the individual elements of their virtual computing infrastructure is protected from malware and firewalled – which indicates that there is a lack of understanding, or ignorance, of their virtualization manufacturer’s security recommendations.

The best firewalls, AV, IDS (no disrespect to those vendors – their products do an important job) provide little protection to virtual and cloud infrastructure.

Next in our experience, systems are unpatched and security updates (which there are many, and diligently communicated by the virtualization manufacturers) are ignored. Is it because the virtualization administrators are too busy? Maybe they don’t have visibility over their virtual computing estate, or lack in-depth expertise across so many of the IT disciplines they now control (network, storage, security). Generally it is a combination of all these factors. Now is the time, if you are responsible for a virtualization platform, to take a step back and do some risk analysis.

“What is the consequence of a loss of, or within, our virtual computing infrastructure and what is the likelihood of that happening?”

Unfortunately, there are more factors at play.

• Where’s the segregation of duties in your virtual computing environment?
• Who’s responsible for looking at the what, where, when and how?
• Who has oversight?
• What audit or assurance are you aware of?

You only have to look at what happened in the financial markets with its over confidence, self regulation and ultimate collapse to know that your overworked system administration team has no chance.

This platform is just too critical to fail….

but fail it will if these factors are not addressed. But this time it could be on a scale that we’ve never experienced before in corporate computing. You can envisage not just the inconvenience of losing a few systems, but the loss of an entire IT infrastructure. Why and how will it happen? The usual reason – humans ignoring the warning signs, and simply not taking precautionary preventitive action.

A classic example is the release of SQL Slammer in 2003 – it effected 75,000 systems in 10 minutes causingan estimated billion dollars worth of damage. How could this have happened? Microsoft had issued a patch 6 months before. A patch that was almost universally ignored!

VMware, Citrix and Microsoft all provide patches and make recommendations on setup and configuration but do people follow them? Generally, they don’t. Worse still people assume that the configuration that they deployed in development three years ago is suitable for production or even DMZ use today! Of course the usual reasons are at the forefront: people either don’t have the time to inquire; or are scared that if they make a change it may break a critical business process.

Human behavior, whether it be oversight, ignorance, a laissez faire attitude, lack of visibility, or lack of responsibility, will be the fundamental cause and systemic failure of security in virtualization and cloud computing infrastructures. Those organizations that choose to be complacent and ignore the warnings will be part of the most catastrophic system failure we have ever seen.

We don’t know how, or on what scale, but the warning signs are clear…it is inevitable.

It’s your choice what are you going to do…?

“What do you reckon, a reality or complete hype.. Yes or No?”

Over the last few years security researchers have been talking about attacks on SCADA systems. Last year there was an attack on a nuclear facility in Iran (stuxnet) it is believed or alleged this was carried out by security services in order to thwart Iran’s nuclear program.

Whatever the truth the fact remains that SCADA systems have for decades relied on the premise of:

• Security through Obscurity
• The SCADA network is not connected to the Internet
• That physical security is good enough to protect the SCADA network
• Weak authentication and control mechanisms were adequate
• No auditing or security monitoring

We all know that “Security through Obscurity” is nonsense, if someone has the will, the time and resources they will succeed. So what does SCADA have to do with virtualization or for that matter cloud computing security?

Well let’s just think for a minute and pose a hypothetical scenario. Let’s suppose that Organization A has a competitor Organization B. They have been in the same market for years but have never managed to dislodge the other from poll position in the market. They have been a thorn in their side for years. What if they could cause a failure in their rivals system on such a scale that it would take them not just days to recover but maybe months. Just enough time for them to either gain a reasonable market share and significant competitive advantage or maybe just maybe to put them out of business for good!

Organizations have or should have disaster recovery processes and strategies in place but to often and not these are never tested until the disaster situation arises. So yes organizations may be able to recover some data but what if the data itself had been corrupted intentionally and this had been going on for months if not years? What if this corruption had been happening at such a low level it was undetectable by the software controllers and third party software used to protect the data?

Virtualization and cloud computing infrastructures ultimately have to store data and typically that data resides on shared storage fabric irrespective of the technology. Those systems have control mechanisms and have management software to configure and control them as well. If these control mechanisms can be subverted or exploited in such away that would remain undetectable, even if for just enough period of time to cause damage then we will without doubt see a system failure on such as scale that has never been witnessed before.

We’re all human and maybe we did see an obscure error in the backup log or other system file, but you know what, we have a million and other one things to do so either forgot about it or we said to ourselves “that can wait until tomorrow.”

Tomorrow unfortunately is too late. If you are serious about protecting your organizations crown jewels you should do something about it now and get some visibility, and look at what is going on in your virtual or cloud computing infrastructures.

Traditional physical security controls such as Firewalls, IPS/IDS, Anti Virus are unfortunately not suited to virtualization at all. Although it is better to have something than nothing if such traditional measures are implemented they will ultimately end up costing organizations more, and undermine the initial cost benefits of virtualization.

The added push towards “Cloud” computing only compounds the situation, so should we bury how heads in the sand, be alarmed or run for the hills and give up? Or are there alternative approaches that can be adopted?

If you’ve got this far you won’t be surprised to hear me say a resounding “YES!” to the question “are there alternative approaches!”

Traditional security solutions have had there day, it’s time to wake up and smell the coffee!

The dynamic nature that is virtualization and for that matter cloud computing means that it is trivial for an administrator inadvertently or otherwise to bypass security controls such as firewall’s simply by adding an additional network card to a virtual machine. This behavior can often go unnoticed due to lack of visibility or controls.

Virtualization and cloud computing have many benefits, the most obvious being cost and ability to scale in a way that has not been possible before. This flexibility however brings with it complexities that unless understood will allow human traits such as complacency, ignorance and it won’t happen to me attitude to reduce the overall effectiveness, security and cost savings of virtualization.

There are no perimeters, endpoints such as the server, desktop and application are becoming blurred. In the future there will be no operating system as we understand it today and therefore we must adapt, those who don’t will be left behind. If you are unable or sceptical about doing anything make sure you do one thing, monitor and provide yourself with some visibility.

As Yoda said, “Do or do not. There is no try”

A survey of 100 CFOs from mid-sized organisations found that 56 per cent were concerned about the security of sensitive customer or commercial data, while only 34 per cent said that they fully understand the benefits of moving to the cloud. Less than a third (28 per cent) stated that they know the difference between private and public clouds.

More on this article can be found here… http://bit.ly/gifiJx

There are many buzz words and hype the computer industry has created over the last decade.  If I had to pick my number one phrase for being the most misused, annoying and idiotic it would be “Cloud Computing” or “Cloud Services” and any other usage of the word “Cloud” in this context.  The industry in general is now using terms like “Private Cloud” what planet have these people stepped off?  It’s a building with a bunch of computers in, umm now let me think wasn’t that my datacenter?!!  Also didn’t we have other terms like “Intranets”, “Extranets” and other “nets” to describe separate networks, come on!

This industry also seems to enjoy creating new acronyms for things and although I am not against acronyms if they are necessary making up things like, “SAAS”, “DAAS” and “NAAS” who are these people trying to kid.  Also haven’t we been here before to some extent?  Less than a decade ago I seem to remember people talking about ASP’s being the next big thing, where are they now?

For those of you who don’t know what I am talking about when I refer to “Cloud” lets try and define it because there seems to be a myriad of definitions for it out there doing the circuit.  You have a business, could be small, could be big, it doesn’t really matter.  You say to yourself rather than doing all that complicated technical stuff needed to run my business or because I don’t have the resource or startup capital right now I’ll let someone else handle that .  That person does have the know how, the resources and can spread my cost base over a period of time, and this makes sense you don’t have to be a genius to see the benefits of doing this.

Outsourcing

So however you wrap it up “Cloud” is essentially about outsourcing your business processes and assets to an external provider.  You may decide to do this in combination or in a step by step process.  Now for the “one man and his band” this may be fine, and as I said earlier you don’t need to be a genius to see the flexibility that this “pay as you go” type service offering gives you.

But is this right for an enterprise business?

Would you really outsource all of your core business services, assets, data, intellectual property to a service provider?  If I put my security hat on for a moment I would have to say if as a business you decide to go down this route then you would without doubt be commiting corporate suicide.

Would you put all your confidential data and any other intellectual property you had in a skip on the street?  Would you leave your valuables in your car unlocked?  Would you leave your front door open?  Of course you wouldn’t unless you were completely stupid, and I am not trying to scare anyone here I am trying to make people think and get some perspective on the situation.

Step back for a second and look at what “Cloud” strategy is going to give you. Way up the benefits and then however the marketing people (by the way I don’t have anything against marketing people!) wrap the wolf up in sheep’s clothing, strip it bare, get back to basics and ask why am I doing this, what will it achieve that I don’t already have today or can’t do in other ways.  Then look at protection, how do I protect myself if I do decide to go down this road to armegeddon.  You may have high security standards and practices, the provider however may not or even if they claim they do, may not bother to implement them for reasons of cost.

Then what about insurance can the provider indemnify you if a security breach occurs?

Unless the provider is very large and lets face it today there are only a handful of those that make up the hundreds of other companies starting to offer cloud services, then the answer is that no insurance underwriter is going to provide those organizations with adequate insurance for indemnity purposes.

Sharing

Lets say for a minute you do decide that “Cloud” is for you, you like the idea of saving money its going to make you look good in the board room, it will save the organization millions, help you link with new business partners, whatever the reason.

When today a breach occurs that results in you losing thousands of credit card numbers or core IPR of some sort, when you enter the board room tomorrow are you going to look that brilliant.  No you will be making a fast exit but the aftermath to the company you worked for could be catastrophic, share prices could plummit, customer confidence falter, brand reputation suffer, you get the picture.

FUD

Am I trying to feed you FUD? (fear, uncertainty and doubt for the uninitiated) well maybe to drive the point home.  The reason I paint the above picture is that if you outsource your assets to a provider you have to be damn certain that you can TRUST them.  Further still it’s not that you just TRUST them but all the business connections they may have as well as the other customers that are using their services alongside you.  Is the provider offering you dedicated resources or are they shared, and when I talk about sharing I mean at all 7 layers of the OSI model, from the application, to the network to the physical layer.

If these resources are shared which they will be as that’s why it’s cheap, how does the “Cloud” provider offer you robust security?  How do they guarantee the same levels of security you have today within your own network?  The answer is they can’t and if they say they can then walk away!

Attacking management frameworks

We have already seen attacks on social networking sites, and business sites, most recently at Black Hat 09 in Vegas a talk titled “Clobbering the Cloud” showed how researchers compromised the management frameworks of “Salesforce.com” to extract data that didn’t belong to them.

Virtualization

So where does virtualization fit into all of this?  vCloud?  VMware have a so called cloud operating system and are making moves into this space in a big way with their own service offerings.  Microsoft and Xen are also starting to do the same thing so virtualization is becoming very much a part of the “Cloud’, whether this is the network, the operating systems or applications  Does it complicate things? Does it make things easier?  There is no black and white answer to this if anything depending on your perspective it makes things easier  and it could if implemented correctly be more secure.

Unfortunately history has shown us that even if we have the most technologically advanced system in our grasp, human nature in the end just lets us down, the enigma cipher machine is a classic testimony to this.

Right now I’m off to get myself a brew in my virtual shed or was that cloud at the bottom of the garden!

vulnerability scanning in the cloud by cloudsecurity.org