A Role for Role-Based Monitoring in the Virtualization, Cloud Space
Security monitoring must adapt to remain effective in the cloud and virtualization arena. That's where role-based monitoring comes in.
With the advent of virtualization and the move towards software-defined clouds, the way we perform IT and how we measure its success has changed. As a result many of the ways we traditionally secure infrastructure no longer apply or plainly come up short.
To understand that, let's think about what the cloud and virtualization have done to traditional security controls. In the past, IT systems were managed in many separate enclaves. You had thousands of servers and hundreds of routers and switches managed by dozens of different management tools and consoles. Those systems had specialists playing different roles who were limited to doing only what fell within their purview.
Virtualization has changed the way in which we must think about security. First, it has merged the traditionally separate roles of networking, storage and server management -- disrupting well-established processes based on separation of duties. Second, it has collapsed configurations of servers, switches, networks and storage into one system, effectively concentrating all of the risk into one platform, creating a system that is "too big to fail."
Why "too big to fail?" Organizations have already virtualized 60% of their systems, picking off the low risk workloads for development, test and QA. Now, the seductive lure of cost reduction and greater agility is forcing organizations to finish virtualizing the last 40 percent of their infrastructure, namely production workloads. But since productions systems are what organizations rely on as the repository for processes, workflows and critical data -- if those systems fail, the company fails. In many ways, virtualizing 100 percent is the IT equivalent of putting all of the senior executives on one plane.
Now, let's imagine that the virtualization management system, which controls all production servers, is compromised. That compromise could come from a disgruntled insider with elevated privileges or it could come from a bad actor using legitimate credentials obtained as part of an advanced persistent threat (APT). Within 15 minutes, a compromised management console would allow attackers to bring down hundreds of servers or even the entire datacenter. They could clone sensitive servers for offline hacking or viewing; they could even delete the highly available duplicate workloads, effectively making key redundancy measures redundant.
Given the concentration of risk and reduction in time to failure, security technologies must adapt. One area in particular is security monitoring. In a recent survey of our customers, more than 50% of enterprise security executives responded that it takes them weeks, months or longer to discover a non-obvious breach in their cloud or virtual infrastructure. That falls far short of the 15 minute window needed by attackers to disable an infrastructure if given access to cloud or virtualization management tools. So why aren't bread-and-butter monitoring technologies like security information & event management tools (SIEM) working?
Traditional SIEMs were designed for a different set of security challenges -- to detect outsiders attempting anomalous or risky behaviors. They correlate IP addresses from firewalls, signatures from intrusion prevention systems and logs from operating systems to detect breaches. So if someone from China attempts to use an automated tool against your webserver, they will tell you about that breach. But what happens when the IP address is known and trusted, and the user account is known and trusted, and the attempted action, say deleting or copying a VM, is a common privileged action? Then SIEMs are blind.
Virtualization management systems, however, only generate privileged commands from trusted insiders, so finding potential breaches requires a new and different approach -- role-based monitoring (RBM). Using roles is the only effective way to answer the question: "How do I detect a good administrative action from a bad one?" To do this, RMB must inspect a privileged operation using the job description, scope of resources and general responsibilities with which an administrative user is entrusted.
Imagine that you have an administrative user in charge of making network changes on your virtual infrastructure related to processing commercial transactions in North America. That user's role in essence is the application of a set of skills (networking) to a set of resources (commerce servers in North America). If that user were to try to copy or delete storage resources to SAP servers in Europe, that would fall outside the user's role and could be seen as suspicious, requiring further investigation.
With a role-based approach to monitoring changes on the management plane, you have a method that uses an organization's processes and procedures to effectively provide a 98% accurate view into what is abnormal on the management plane -- effectively weeding out the noise so that security and operations teams can investigate in near-real time. With this type of control in place, organizations can virtualize 100 percent knowing that their security has adjusted to the speed and scope required to remain in control.
Alan LeFort is VP, Product Management at HyTrust. He has over 18 years of experience in the high tech industry and has held senior roles at AVG Technologies, TELUS Security Labs, Intellitactics and AT&T Canada. LeFort also founded the Rotman-TELUS joint-study on Canadian Security Practices, Canada's leading study on security and compliance in the Enterprise. He holds an Executive MBA from the Rotman School of Management at the University of Toronto and a BBA in Finance from The University of St. Thomas in Houston, Texas.