President Obama designated October as National Cyber Security Awareness Month. But like most causes, cybersecurity requires year-round diligence, especially in a New IP world built on virtualization.69% of consumers are less inclined to do business with an organization whose data has been breached.
For many in the industry, virtualization is a double-edged sword. On the one hand, it enables additional attacks. But at the same time, virtualization provides new opportunities to thwart or at least contain attacks. (See How NFV Can Improve Network Security and AT&T Offers Cyber Security Strategy Fit for New IP .)
Examining both sides
Gargi Keeling, a product management director at VMware Inc. (NYSE: VMW), takes the "more-secure" stance. "When I started at VMware [over five years ago], the security conversation was more about assuring customers that our virtualization platform was secure enough to run their workloads," she says. "The conversation has shifted. We believe that running [workloads] on virtualized infrastructure is more secure than on physical infrastructure."
Cloud providers might be more diligent about implementing patches and updates than, say, a small or medium business whose IT staff is perpetually overloaded. Some also argue that when virtualized infrastructure uses open-source technology, itís more secure because thereís a community looking for, and helping address, vulnerabilities. That means users arenít relying on a single vendor to shoulder that entire role.
At the same time, virtualization can open more doors to attacks. Suppose two companies, or two departments within the same company, share a server. If one of them isnít diligent about authentication, it could create a back door into the other userís data.
"Look at getting past user IDs and passwords because the 'Data Breach Investigations Report (DIBR)' shows that weak or compromised credentials are one of the commonalities across many breaches," says Ken Biery, managing principal for Verizon Enterprise Solutions Global Governance, Risk and Compliance Practice. "A compromised credential is a double dip because not only does that person gain access to whatever privileges that credential has, but it also pretty much bypasses the security that you have."
Looking for solutions
Multi-factor authentication is one solution. Itís also smart to ask potential cloud providers how they authenticate other users when it comes to configuring and managing shared virtualized infrastructure.
"Thatís a great question and probably should be at the top of the requirements," says Biery, who recommends the Cloud Security Allianceís Cloud Controls Matrix for additional guidance when crafting requirements.
A migration to virtualization also is a good time to scrutinize firewall strategies. VMware says firewalls typically inspect only about 20% of the traffic in a data center because theyíre focused on the north-south route: traffic going in and out. The lion's share is inside: the east-west traffic from app to app and server to server. Virtualization is an opportunity to implement security controls inside the data center to protect east-west traffic.
"Itís not that we donít have enough security," Keeling says. "Our controls are not aligned to actual traffic patterns.
"If most of your sensitive data is going east-west and going through specific application tiers Ė between your app and database tier, for example Ė but all of your controls are sitting at the access layer, where users are coming in, weíre not saying remove them. Weíre saying you have to shift some of that focus into the core of the data center," she adds.
That strategy also moves security closer to each application and in turn helps reduce the chance that a threat will propagate. VMwareís micro-segmentation architecture enables that strategy by reducing the cost and complexity of enacting it.
"Itís leveraging network virtualization to isolate networks between applications and then using distributed firewalling to control the traffic to and from these micro segments," Keeling says. "Itís all about preventing intrusion when possible and containing it if you can."
End-to-end encryption is another strategy worth considering because it enables security to travel with the data. Most cloud providers now offer some form of encryption, but their customers donít always take advantage of it. One reason is because when the endpoints are mobile devices such as laptops, tablets and smartphones, encryption can be an unacceptable drag on performance and battery life.
"Thatís one of the things thatís slowed the progress of end-to-end encryption," Biery says. "Itís one of those significant challenges we face as an industry."
— Tim Kridel, Freelance Contributor, special to The New IP