Virtualization Security  in Private and Hybrid Cloud

Edmundo Costa, CEO, Catbird, says:

Virtual networking and other radical changes to data center architecture have paved the way for a new approach to network security. With the adoption of virtual and software-defined networks (SDN), applications can now be secured within the virtual and SDN fabric, at run-time. This is a significant evolution for security, and its advent is necessary as these architecture shifts have revealed the inadequacies of traditional perimeter-based security. Securing the perimeter worked fine when network traffic flowed north-south only, but perimeter security does not protect the east-west flow of virtual networks.

Best practices indicate that virtual, private or hybrid cloud data centers today should consider run-time virtualized security. Based on tunable policies, this approach ensures that application protection addresses the business requirements of the application through its entire lifecycle from inception to retirement. The economics of the run-time approach benefits from the power and economics of cloud infrastructure. A tunable, user-defined, security policy ensures that assets sharing common infrastructure are protected based on their individual requirements. Policy protection can be multi-function and multi-vendor, incorporating a broad set of network controls, potentially covering all of the SANS Top 20 Critical Controls, and providing dynamic updates based on security and hypervisor events.  In addition, policy can be continuously monitored and measured to verify its efficacy.  Policy violations can generate alerts and offer machine-speed mitigation options. Through this approach, security follows the same software-defined model as compute, storage and management, becoming a full-fledged member of the cloud, better able to respond to business requirements.

Implementing Virtualization Security: Five Priorities

In order to make sure that all the bases are covered regarding security and compliance in

the private and hybrid cloud using a run-time approach, organizations need to enable an automated identification and protection of existing and new cloud assets. Consider these five priorities when implementing security in virtualized environments:

1 – Discovery: Toward a complete network context

The SANS Top 20 Critical Controls names discovery and inventory control as the most important security best practices. For instance, SANS Top 20 Critical Controls places it at the pole position.  Network security policy decisions that are executed in the virtual infrastructure are highly dependent on its context. That is, the hypervisor, virtual switch, VLAN, virtual network configurations and VMs are all critical data points to consider in the effort to protect the private or hybrid cloud.

Consequently, the goal is to achieve perfect inventory control of these elements. This is possible in virtual infrastructure because the hypervisor and SDN controller can easily count the precise number of hypervisors, VMs and virtual switches.  Similarly, the hypervisor knows how they are interconnected. Once this is known, specific policies can be applied to those objects through orchestrated network controls.

It’s helpful to be able to correlate observations from different angles, such as notification about assets as they announce themselves or what the hypervisor is reporting. For this reason, consider security solutions that are placed in the logical switching fabric and on the hypervisor. Additionally, solutions that run alongside workloads on the virtual switch can enable the inspection of all traffic, identify threats and enforce policies.

When identifying a cloud security solution, look for those that include a web management console and central processing hub for all security and compliance operations to provide a holistic view of the virtual network. Identify solutions that can secure the private or hybrid cloud with increased visibility and situational awareness with all network controls in the SANS Top 20 Critical Controls framework, such as vulnerability management with configuration checks based on Security Content Automation Protocol (SCAP).

Begin with virtual asset discovery to establish a perfect inventory of all of the VMs and their network configurations across the entire cloud infrastructure, and then isolate sensitive data using zone-based security. This is particularly helpful in a world where VMs can be easily copied, cloned, moved or misconfigured.

Organizations can improve the network security posture within private or hybrid clouds, accelerating incident response and reducing forensic analysis and audit and compliance burdens.

2 – Zoning: Logical policy containers

As assets and objects are created, such as VMs, the security protections should be dynamically applied.  Typically, security policy containers, or zone-based security, is predicated on common trust-class and independent of IP address or network topology.  Any change to the VM population, or to the configuration of the VM, is automatically detected and all security controls are dynamically updated. Let’s call these policy containers “trust zones” for short.

As VMs are added or removed, or their network configurations changed, firewall rules must also be created and updated based on the policy defined on the trust zone to which the VM is associated. With policy orchestration, firewall rules can be automatically updated with any changes to trust zone membership or VM network configurations. All other network controls such as IDS/IPS, vulnerability management and NAC would also require appropriate updates. Those too can be automated via a security orchestration solution.

Trust zones create the foundation for analysis and correlation as well. For example, an enterprise-wide view of all network flows across these trust zones when drawn in real time, allow administrators to quickly see the virtual network from a security policy perspective. Views of specific firewall rules affecting network traffic, flows and connections can reveal data patterns and a well-rounded picture of network traffic between and within trust zones in the private or hybrid cloud.

Trust zones enable the IT function to apply network security at run-time, allowing assets with different levels of security policies to reside within the same cloud infrastructure. Trust zones can also be used to validate and extend current VLAN isolation by verifying the isolation and ensuring that changes to the network configuration do not bypass the VLAN isolation. Incorporating new virtual controls operating inside the virtual switch fabric, while validating security posture, will expedite the audit process.

3 – Verification: Evidence of control through continuous monitoring

When it comes to discovering malicious intentional or accidental misconfiguration, verify everything. Business groups demand quick deployment of applications, while IT demands efficiency. Virtual, private and hybrid cloud data centers are highly agile, with frequency of change measured in minutes, not days or weeks.

Validate policies by continuously monitoring the network, including VM configurations and security controls against policy at both the trust zone and individual VM level. For example, continuously validating VLAN isolation or virtual firewall settings through event capture of data flows, IOS/IPS flows, VM file and network configurations, hypervisor network events and virtual firewall events. These events should be monitored, correlated, logged and made available for real-time visualization and historical reporting and mapped to industry standards such as PCI DSS, HIPAA and FISMA.

Organizations can realize ROI quickly by continuously monitoring the network. This reduces preparation for assessments, ensures evidence of control, controls audit scope creep and eliminates costly audit disruptions. These efforts will instill confidence in network protections by verifying and validating network controls against hardening requirements and best practices.  Automating event-capture and mapping to standards through real-time visualization and audit reporting will unburden scarce IT personnel from manual audit processes.

4 – Enforce:  Automated risk management

To deal effectively with policy violations that are discovered during the verification process, automated risk management is essential. Virtual and cloud infrastructure increases consolidation on shared infrastructure and risk is compounded by high rates of change.  A careful criticality assessment by application groups should be made. When a serious policy violation is detected on high-criticality systems, an optional machine-speed mitigation action to contain any potential damage from misconfiguration or malicious activity should be considered.

When choosing a security solution for a private or hybrid cloud or virtual data center, it should enable policy that is both verified and enforced at the asset level. This dramatically reduces risk through timely incident response times and reduces audit costs. Mitigate attacks by reducing the threat footprint and applying targeted security policies to block known exploits, viruses, spyware, botnets and APTs as well as accidental or malicious misconfigurations and insider threats. Look to configure the system so that events that violate trust zone policies will result in automated alerts. Alerts should also trigger optional automated mitigation to enforce policy and maintain compliance.

A best practice is to use existing Virtual Local Area Network (VLAN) isolation across the data center. The most common mechanism for isolating converged infrastructure is through logical isolation with VLANs. Given the risks associated with a breakdown in VLAN isolation due to accidental or malicious misconfigurations, best practices and security standards are calling attention to the need to verify, validate and mitigate.

5 – Be Adaptable: Change can be disruptive

Switching to a run-time security approach is bound to cause disruption. Like virtualization, run-time security transforms data center security and brings overlaps between the three administrative domains of security, networking and virtual infrastructure operations (IT OPS) so careful planning is essential. Skills converge in the software-defined data center as security operates within the fabric, requiring cooperation and convergence of traditional siloes and more involvement from application owners. This is the true cost (and benefit) of the transition to a new approach in which security is delivered where and how you need it, aligning protections with business requirements and improving overall risk management.

This new approach requires an organization that can adapt to these changes and, in doing so, it will derive significant benefits: improved security at lower costs, automated and dynamic security that is based on policies to meet business requirements, and continuously monitored and enforced policies to mitigate risk and meet compliance requirements.

When IT administrators are given the tools they need to create and apply security policies, objections regarding cloud security issues are more easily and quickly overcome. This is important because hesitancy regarding security can hamper efforts to migrate high-value workloads to the private or hybrid cloud. The five priorities listed above will help organizations make the key decisions needed to join the cloud revolution.

For a more in-depth look at security for private and hybrid clouds, a white paper is available here.

Author’s bio:

Edmundo Costa joined Catbird in 2007 and is a software industry veteran. He brings over 20 years of executive experience growing companies from their early stages through to IPO. As the CEO, he leads Catbird’s pioneering efforts to deliver a new approach in the enterprise security market, ensuring that virtual and cloud infrastructures are secure and compliant. Prior to Catbird, Edmundo was a founding member of Tarantella, Inc. and held executive positions at The Santa Cruz Operation (SCO). He also worked at Accenture. He received his MBA from Harvard Business School and is a graduate of Cornell University with dual degrees in Operations Research & Information Engineering and Economics.