Tag Archives: regulatory compliance

Post-Virtualization Security

Leave a reply

As the second law of thermodynamics tells us, all things trend toward chaos and this is no less true with a virtual environment. Sprawl can have a real security impact, and it takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue.

Virtualization has been one of the most rapidly and widely adopted technologies in recent memory. It’s huge, and it’s here to stay.

And as security professionals know, setting up a virtual environment securely isn’t easy. Significant effort goes into tasks like evaluating off-premise service providers, ensuring regulatory compliance, and standing up technical controls like monitoring and encryption. But in the excitement to stand up the new environment and get security to an acceptable “target state,” organizations sometimes don’t address security hygiene long-term. In other words, security is in high gear while the environment spins up, but it doesn’t lay the groundwork for what happens once things are chugging along.

This represents an area of concern because setting up a secure environment is only the first step. As the second law of thermodynamics tells us, all things trend toward chaos — this is no less true with a virtual environment. Stand up a virtual environment today and walk away from it and you’ll wind up with an unmanaged security nightmare tomorrow. As technical staff create new VMs, modify existing VMs, create “orphan” snapshots, and take other action in the environment, the environment slowly moves away from the defined, “secure” state into a less known one. This has a security impact.

So for organizations laying out challenges and focus areas for the new year, now’s a good time to think through your planning for how to keep the virtual environment secured. Ideally, you’ve been doing this all along as you first started tackling virtualization. But if (like most) you haven’t, doing it now is a smart move.

The Sprawl

For virtualized data centers and private cloud Test Drive the Public Cloud for $1. Windows & Linux Cloud Hosting. Click Here. deployments, keeping the number of virtual hosts within defined parameters can be challenging. VMs tend to proliferate and collect over time because of “one-off” or ad hoc VMs created without a clear plan for decommissioning. Add time and employee attrition to the mix, and you can be left with a large population of undocumented VMs that lack clear purpose and that staff are uncomfortable removing because they’re not sure who will be impacted.

On the operations and performance side, sprawl is a well-known problem. But the security side of it isn’t always addressed. For example, sprawl can have a regulatory impact. The PCI virtualization guidance tells us that if a VM is in scope of PCI, so also is the hypervisor. This means that uncontrolled proliferation can have unintended consequences — like if a test and QA VM moves into the CDE without appropriate controls. Even without the regulatory impact, dangers abound, such as technical security considerations like patch management, logging, anti-malware, etc.

It takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue. The further environments drift from the documented secure state, the more work is required to bring the environment back in line. This means that security organizations should be actively monitoring inventories of VM assets. They should be working with the technical teams to control expansion now while the problem is small rather than waiting for the problem to become unmanageable later on down the road.

Impacts to Existing Controls

Secondly, as we all probably realize by now, existing security controls don’t always translate well to virtual environments. Consider as one example what happens to network traffic monitoring tools like IDS when conversations between virtual images happen within the hypervisor (backplane communications) as opposed to over the network. For most security professionals, this failure to translate means they’ve needed to deploy new security tools to address shortcomings in the existing tool set.

This strategy is great in that it meets immediate needs, but it doesn’t address what happens over the long term. Consider that the virtual environment is expanding (in most cases rapidly) while the legacy physical environment is contracting. The budget for controls is usually constant. Consider how these two data points play out a year from now — and two years from now. Budgetary support is likely to shift. In fact, it’s not hard to envision a scenario wherein we need to start scaling back existing security controls that address only the legacy environment. Doing that cleanly takes planning and preparation on the part of the security organization. For example, it may take a year or more to shift how current controls are managed and operated in order to allow them to spin down cleanly without impacting existing staff.

Data Expansion

As the last item to consider, security organizations often don’t appreciate the tremendous rate of data growth that can occur in a virtual environment. Pretty much everything you do in the virtual environment has a storage impact. There’s the data you’d be collecting and managing anyway, but also sprawl adds to it, planned growth, snapshots used for QA or patching, etc. Data volume can explode in a very short period of time.

This matters to security professionals because of the way certain controls operate relative to data volume — specifically, controls that operate linearly over data like DLP file searches and encryption.

As an example of why this matters, take the example of bulk data encryption. Encrypting a terabyte is trivial. Encrypting an exabyte? Well, that may not even be possible depending on how the data is used. There are some controls that need to be addressed while data sizes are still manageable. It behooves security professionals to think this through now rather than waiting until the volume has expanded beyond what a given control can manage.

Spending some time thinking through the ongoing maintenance and hygiene of a virtual environment is a useful exercise. So in laying out plans for 2012, keep in mind that the work doesn’t stop once the environment is in place — it continues throughout the entire lifecycle of that environment.

Author: Ed Moyle
Source

Four Tips To Keep Cloud Computing Projects Compliant

2 Replies

Cloud computing seems simple in concept, and indeed simplicity of operation, deployment and licensing are its most appealing assets. But when it comes to questions of compliance, once you scratch the surface you’ll find more questions than you asked in the first place, and more to think about than ever before.

Compliance covers a lot of ground, from government regulations such as Sarbanes-Oxley and the European Union Data Protection Act, to industry regulations such as PCI DSS for payment cards and HIPAA for health data. You may have internal controls in place, but moving to a public cloud infrastructure platform, a cloud-based application suite or something in between will mean giving up some controls to the cloud vendor.
That’s a position many auditors, and CIOs and CEOs, find themselves in today. They want to know how to leap into cloud computing in a way that preserves their good standing in regulatory compliance. Here are four tips for keeping tabs on compliance in the cloud, from analysts, vendors and consultants.

1. Be aware of new challenges the cloud may add to your IT workload

When you evaluate cloud vendors, start by looking for sound practices and strategies for user identity and access management, data protection and incident response. These are baseline compliance requirements. Then, as you map specific compliance requirements to your prospective cloud vendor’s controls, you’ll likely face some cloud-specific challenges.

Data location is one. The EU Data Protection Act, for example, strives to keep personal information within the European Union. To comply, your cloud vendor should keep your European customer data on servers located in Europe.

Multi-tenancy and de-provisioning also pose challenges. Public cloud providers use multi-tenancy to optimise server workloads and keep costs down. But multitenancy means you’re sharing server space with other businesses, so you should know what safeguards your cloud provider has in place to prevent any compromise. Depending on how critical your data is, you may also want to use encryption. HIPAA for example, requires that all user data, both moving and at rest, be encrypted.

User de-provisioning is an issue that will become more challenging as password authentication methods grow in complexity and volume. Federated identity management schemes will make it easier for users to log on to multiple clouds, and that will make de-provisioning much trickier.

“When an employee leaves the company, what you’d like is to push a button and that person gets de-provisioned from their Windows account and any internal enterprise applications, their mobile phone gets wiped of corporate information, and they’re blocked from the company’s SaaS applications, ” says Tom Kemp, CEO of Centrify, a provider of identity management and compliance tools. Today, automated de-provisioning can’t span both cloud and on-premise systems, he says.

2. Track the fast-changing standards landscape

Like it or not, you’re an early adopter. Your decisions about what applications to move to the cloud and when to move them will benefit from an understanding of new and/or modified standards that are now evolving for cloud computing.

Today you can look for SAS 70 Type II and ISO 27001 certifications for general compliance with controls for financial and information security typically required by government and industry regulations, but these don’t guarantee that your company’s processes will comply.

“Standards like ISO 27001 and SAS 70 are helpful but they’re point-in-time,” says Jonathan Penn, VP and principle analyst for Forrester Research. “And they aren’t very specific when it comes to data security, identity management, administrator controls, things like that. What we need is more visibility to the users about what’s going on. Right now it’s basically a big black box.”

Bringing visibility to users is a major goal of the Cloud Security Alliance, a three-year-old organisation fast gaining popularity among users, auditors and service providers. A major goal of the CSA is development of standardized auditing frameworks to facilitate communication between users and cloud vendors.

Well underway, for example, is a governance, risk and compliance (GRC) standards suite with four main elements: the Cloud Trust Protocol, Cloud Audit, Consensus Assessments Initiative and the Cloud Controls Matrix. The Cloud Controls Matrix includes a spreadsheet that maps basic requirements for major standards to their IT control areas, such as “Human Resources – Employment Termination,” while the Consensus Assessments Initiative offers a detailed questionnaire that maps those control areas to specific questions that users and auditors can ask cloud vendors.

Efforts of the CSA and other alliances, plus those of industry groups and government agencies, are bound to produce a wealth of standards in the next several years. The CSA has formal alliances with ISO, ITU and NIST, so that its developments can be used by those groups as contributions to standards they’re working on. And a 2010 Forrester Research report counted 48 industry groups working on security-related standards in late 2010.

3. Take care with the SLA

Regardless of your company’s size or status, don’t assume your cloud vendor’s standard terms and conditions will fit your requirements. Start your due diligence by examining the vendor’s contract.

That’s the advice of Michael Larner, an attorney with Hogan Lovells, an international law firm with experience in cloud compliance and security issues. Larner, who often helps clients negotiate service level agreements, says to start with your own risk/benefit analysis to see if the vendor’s standard contract is sufficient for your compliance needs. If not, determine what you need to negotiate to increase your comfort level.

Your company’s size can give you leverage to negotiate, but a smaller business can find leverage, too, if it represents a new industry for a cloud vendor that wants to expand its market. In any case, don’t be afraid to negotiate.

“With too many companies there’s an assumption if you’re dealing with a large vendor that the vendor won’t negotiate. In fact, you might find that the vendor is willing to make some exceptions to raise your comfort level,” Larner says.

If you’re new to the cloud, you may find that starting out on a pilot basis, or with non-critical data, is a good way to build confidence, he says.

But due diligence doesn’t end with a comprehensive SLA. Nirav Mehta, RSA’s director of corporate strategy for cloud computing, says you’ve still got to watch the vendor closely. “You may have a good SLA, but if the vendor’s cloud goes down, what happens to business continuity?”

Mehta sees a day when the best strategy might be to use multiple clouds for backup assurance.

4. Make security a priority

To best understand your potential risk, as well as your benefits, you should bring your security team into the conversation at the earliest possible opportunity, says Forrester’s Penn.

“That way, security and compliance issues are brought up in the right context,” he says. “It’s important that business executives understand the security issues and can weigh the levels of risk against the budget they’ll provide to mitigate some of those risks.”

Moving to the cloud may offer an opportunity to align security with corporate goals in a more permanent way by formalising the risk assessment function in a security committee. The committee can help assess risk and make budget proposals to fit your business strategy.

You should also pay attention to the security innovations coming from the numerous security services and vendor partnerships now growing up around the cloud. Dome9, an Amazon partner, solves a cloud-specific technical problem, closing secure-shell (SSH) and other ports of your cloud-based servers when they’re not in use so an attacker who’s already gained access to the cloud can’t get in.

“In the enterprise, these tend to stay open by default,” says Dave Meizlik, marketing VP for Dome9. “But in the cloud, you’d want them closed when you’re not working, and you can’t rely on calling the cloud provider every time you get off your server.”

Cloud computing may pose some risks, but they’ll likely diminish as security innovations catch up. Even today, according to Forrester’s Penn, “The security issues with cloud services don’t worry most enterprise security teams as much as other IT trends, such as smartphone or social media proliferation. Ultimately, the security issue will be a speed bump, not a showstopper, for cloud adoption.”

Source

Why Your Next Desktop Will Be Virtual

Leave a reply

There will always be a need for conventional desktops and notebooks for specific users, but desktop virtualization has matured today. In fact, it’s time to take a hard look, not just a passing glance, at what it can provide.

The magic that virtual desktop infrastructure (VDI) can provide is in taking a fairly inexpensive thin-client device, giving it access to your data center from anywhere, and allowing that device to take on the image of a typical desktop. VDI provides the device with all the data and applications you need throughout your day, and then reverts to the proverbial tabula rasa when you shut it down. Because no data is stored on the device, you never have to worry about proprietary data falling into the wrong hands if the device itself—desktop, laptop or tablet—is lost or stolen.

VDI should change the way you think about the desktop. For your users who fit the bill, there are significant reasons why VDI makes sense right now.

Five reasons to examine VDI now

Reason No. 1: Hard cost savings

Thin clients cost less and they last longer (six to seven years versus four years for a notebook). They also consume a fraction of the energy of a desktop PC (as low as six to seven watts for thin clients versus 150 watts for PCs).

Reason No. 2: Ease of management

Thin clients are easier to patch and upgrade. They have slower generational changes than PCs so you’re not swapping out newer versions all the time.

Reason No. 3: Centralized backups

When using virtual desktops, everything is backed up centrally, which is easier on data center operations and eliminates local drive issues. This makes sense for tablets as well since they are not a traditional client device and their backups most certainly are not handled by most enterprise backup applications.

Reason No. 4: Regulatory compliance

Since all the data and applications are centralized, VDI makes it vastly easier to enable and enforce processes and procedures to ensure security, privacy and other best practices.

Reason No. 5: Productivity gains

VDI encourages telecommuting or remote working, which can contribute to higher productivity, better morale and lower office space expenses while decreasing demands on help desks. If there are problems, it’s easier to troubleshoot standard images and integrate applications with standard hardware. Plus, users need less training with standard images.

While these reasons to examine VDI now are substantial and worth considering, VDI isn’t for everyone—at least not yet. To be successful, you need to be very selective with the users you choose to bring into the VDI model. But for those users that can take advantage of VDI, the benefits they reap may feel a bit like magic.

Source