WHITE PAPER
Cloud under Control™
|
Exec Summary
Drawbacks to Traditional Approaches When Securing Cloud Environments
Exec Summary
Securing the VMware vSphere platform has emerged as an essential requirement for virtualizing critical workloads and ensuring their compliance with regulations. It’s increasingly recognized as a prerequisite for achieving the financial rewards of greater virtualization and private cloud adoption without exposing the enterprise to greater and more concentrated risk.
Several traditional physical data center security tools – including password vaults, jump boxes, and administration session recorders - have been adapted to the virtual environment to address the platform’s security needs. An analysis of the core functionality, value, and limitations of the tools concludes that each can potentially contribute to solving the platform security and compliance puzzle. However, these tools do not meet all the requirements of a complete solution, either individually or in combination. Many are also cumbersome, requiring changes in user behavior among operations teams.
| Drawbacks to Traditional Approaches When Securing Cloud Environments
Cloud under Control™
Introduction
Introduction
The vSphere platform provides basic security measures that are adequate when
virtualization is limited to low tier applications such as development and testing. However, as enterprises virtualize production and other critical workloads with sensitive data, they discover new security and compliance risks. Among the most serious are:
Root account sharing by privileged vSphere users makes it impossible to tie every administrative operation to a specific user. The result is lack of user accountability, no reliable audit trails, and violations of key administrative mandates in all major security regulations.
The virtualization platform grants users very powerful privileges by default, while its limited access controls lack the granularity needed for effective separation of duties and least privilege access. The platform also lacks a viable way to grant the one-time permissions that privileged users need to do their jobs day-to-day (e.g., occasionally deleting production VMs in order to upgrade their applications).
Isolation of each tenant’s virtualized applications and data in multi-tenant cloud environments is a universal security and compliance requirement. The vSphere platform, however, doesn’t provide the virtual resource controls and fine-grained user authorizations needed to fully segment the virtual infrastructure. In particular, the platform doesn’t provide constraints to ensure that the privileged users who can access a tenant’s VMs maintain the isolation between virtual switches, hosts, and other private cloud resources associated with each tenant.
The platform’s laundry list of logging limitations severely hampers compliance, audit support, and forensic analysis. In addition to the #1 concern – an inability to associate a unique privileged user ID with every administrative action – the platform doesn’t record denied or failed operation attempts, details of virtual resource reconfigurations, the user’s source IP address, and other necessary data. To make matters worse, users can bypass vCenter logging with direct-to-host access, and the platform doesn’t centrally compile vCenter and host logs.
This paper will examine how password vaults, jump boxes, and administration session recorders have been enlisted to solve these problems. The following sections will summarize each tool’s core functionality, examine the security challenges it targets, identify its value and limitations as a solution, and specify its proper role in securing the virtual infrastructure.
|
Drawbacks to Traditional Approaches When Securing Cloud Environments Password Vaults
Password Vaults
A password vault (PV) provides a way to associate every administrative log-in with a particular user when two or more privileged users share an account. In a typical
implementation, each time a user seeks access to a system the PV randomly generates and issues a new temporary root password to the user, sets a configurable password expiration period, timestamps the event, and logs the user ID of the person the password was issued to. Once the temporary password expires it cannot be reused.
Root password vaulting can solve part of the virtualization platform’s anonymous user problem. It increases accountability by enabling a PV tool to record the beginning and ending times of each privileged user’s administrative sessions. Linking a unique user ID to every session is a valuable first step toward creating an audit trail and complying with regulations.
Password vaults can be supplemented with management functions such as approval workflows, account provisioning, and reporting. The primary limitation of a PV as a virtual infrastructure security solution is that it is not aware of the operations conducted by a user during an administrative session. It therefore cannot associate a user ID with a specific action performed using a shared account, which is essential for accountability, audit trails, and compliance. Evidence of this weakness shows up in some PV implementations that automatically log a user into a shared vCenter account.
Even if a PV is integrated with vCenter’s basic access controls and log mechanisms, it would suffer from the limitations of those functions described above. In particular, a PV that depends on vCenter’s access controls cannot enforce object-level controls and therefore cannot provide the infrastructure segmentation that is essential in multi-tenant environments. In addition, a PV often requires a change in platform administration and associated user training. Administrators must log-in via the PV’s console and then request access to a specific system, a cumbersome change from simply logging into vCenter directly.
Drawbacks to Traditional Approaches When Securing Cloud Environments
Cloud under Control™
| Jump Boxes
In the context of virtual infrastructure security, a jump box is basically a server connected to vSphere management clients on one side and one or more vSphere management interfaces on the other. It can screen the virtualization platform from malware and other attacks, and it may have strong authentication features. If password vaulting is added to the jump box, it can provide the benefit of funneling all vCenter and ESX/ESXi access through a control point that associates a unique privileged user ID with every vSphere log-in. However, as mentioned above, this may require a productivity-reducing change in administrative behavior.
A jump box typically provides little if any native functionality for controlling privileged use of the virtualization platform. It may be able to restrict users’ ability to connect to specified virtual machines (VMs) without being able to control vSphere administration privileges directly. Instead, the jump box may use vSphere APIs to control access to the virtual infrastructure using the platform’s limited access control features. In this case, the jump box inherits the access control gaps that undermine the platform’s security and
compliance support for critical workloads.
The jump box-based approach to virtual infrastructure security can’t be considered operations-friendly and may also increase administrative costs. Authentication and access rules may need to be managed twice, on both the jump box and vCenter. If so, additional user training and process changes will be required. Because any controls are
session-based, a jump box cannot provide a workflow for the frequent one-time privilege authorizations needed to keep virtualization operations running smoothly.
Another limitation that jump boxes share with PVs is the inability to provide infrastructure segmentation for multi-tenant environments. Both tools rely on vCenter’s access controls, so they lack the object controls needed to fully isolate each tenant’s virtualized resources. Requiring all vSphere administrative activity to pass through a control point that
strengthens authentication and shields the infrastructure from external attacks is a positive step toward securing critical virtualized workloads. But a jump box-based product that lacks robust vSphere access controls leaves key virtualization security challenges unaddressed.
Drawbacks to Traditional Approaches When Securing Cloud Environments | Administration Session Recorders
Administration Session Recorders
For a variety of reasons, compiling comprehensive administrative event logs is very challenging in the virtual environment. That’s why some organizations take the shortcut of recording streams of privileged user activity via continuous screen capture. This graphical approach to security information “logging” can show an unauthorized or dangerous user action as it occurred, once you know where and when to look for it in the library of video streams. Administration session recorders also enable impressive marketing demos. In some cases, screen capture video is the only option for recording privileged user activity. Jump boxes often employ RDP for vSphere administrative access, and since RDP sessions are graphical the jump box can’t record event details in text logs. The necessity of using inadequate logging capabilities doesn’t negate the security and compliance costs of doing so, though.
Structured, detailed text logging of the key details of every event is the gold standard in information security for good reasons. Text-based logs are easy to filter and search, enabling access to relevant data in seconds. Operations managers, auditors, and forensic analysts, for example, can quickly and easily locate the details of a type of administrative operation conducted by a known or unknown user during any number of sessions or time periods. In addition, text logs can be used by log management and security information and event management (SIEM) systems to correlate administrative events with other security-related events. This analysis can create a clearer picture of an incident, and it can be used to automatically detect a possible breach or compliance violation and send an alert.
Video screen capture provides at best a small fraction of these benefits:
It’s neither easy nor efficient to watch many hours of session video while hoping to spot some type of inappropriate action, especially if the search spans multiple users, sessions, and/or operations.
Video can’t be used by log management or SIEM systems for incident detection, analysis, or alerts. If the improper behavior doesn’t come to light through some other means, and in a timely manner, it may either never be discovered or it may be uncovered long after costly damage could have been contained.
Drawbacks to Traditional Approaches When Securing Cloud Environments |
Cloud under Control™
Analysis
Analysis
It’s not surprising that the tools examined in this paper do not adequately secure the virtual infrastructure and ensure compliance. They were not originally designed to protect a virtualization platform with a unique set of characteristics, including the need for more granular and extensive access controls and comprehensive, audit-quality logging. Nevertheless, the tools provide several building blocks for a true solution: HyTrust secures the virtual infrastructure and supports HIPAA compliance with:
Password management that ensures all administrative activity is linked to a unique ID for each privileged user, despite root account sharing
A control point for all privileged user interaction with the virtual infrastructure that can ensure all activity is recorded and subject to access control.
Records of all privileged user activity
Drawbacks to Traditional Approaches When Securing Cloud Environments | Solution
Solution
HyTrust recognized that the vSphere platform needed substantial access control and logging supplementation before it could host critical workloads without concentrating and increasing enterprise risk. It also knew that no combination of existing security tools could get the job done. So HyTrust developed HyTrust Appliance, the only solution purpose-built to secure the virtual infrastructure and enable compliance.
HyTrust Appliance provides the relevant benefits of password vaults, jump boxes, and administration session recorders and adds the essential additional capabilities required for a complete solution. The patented solution overcomes the limitations of those tools with:
Granular role-based and virtual resource-based access controls specifically designed to bring true separation of duties, least privilege access, and resource isolation in multi-tenant environments to the vSphere platform. These bedrock security practices are as fundamental in the virtual environment as they are in the traditional data center. Any tool or product that doesn’t enable them cannot be considered a solution. Comprehensive and easily searched text logs of all privileged user actions conducted through any vSphere management interface. HyTrust Appliance uses root password vaulting and other measures to associate every record of every attempted operation with a unique privileged user ID.
Real time detection and alerting of suspicious, dangerous, or unapproved user activity, enabling the enterprise to stop or contain threats quickly. HyTrust Appliance’s detailed, centrally compiled logs also establish privileged user accountability and provide the thorough audit trail required for compliance, audit support, and forensic analysis.
HyTrust delivers this integrated functionality in a way that is transparent to administrators and doesn’t require changes to their approved behavior. This is important in getting the operations team to both accept and use the security solution.
Other HyTrust Appliance capabilities that make it a complete solution include:
