Wednesday 29 April 2009

Security in a Virtualised Data Centre

Following on from a successful week at the RSA conference in San Fancisco where I was on the cloud computing panel, Secerno has a strong presence is at the European InfoSecurtiy show in London.

I had the pleasure of sitting on the Security Expert Forum: Security in a Virtualized Data Centre. IT was moderated by Freeform Dynamics’ John Collins and had Owen Cole, Technology Director of F5. It was a well attended session with some lively debate from the audience.

My view on this topic is:

  • Data Centre Virtualization can be GOOD because it enables consolidation and reduces operating costs
  • Data Centre Virtualization can be BAD because the mobility and architecture neutralizes the single most effective security tool – physical firewalling and network segmentation.

In my panel summary I outlined the following 10 points (which I promised to post on this blog)

1. Match Mobile Security to Mobile Resources
In a virtualised environment it is possible to move VMs at real-time from one host to another which provides resource mobility. All security defences must also be deployed in a mobile-compatible manner. Consider for example deploying virtualised firewalls that move with the resources they protect (see the next item)

2. Virtualize Firewalls
Within virtualized environments there are fewer physical network cables to plug firewall and IDS/IPS devices. Take advantage of products that are virtualized and logically cable them into the virtualized environment.

3. Design-in choke points
A lesson from the bad old days of flat networks was that network segregation and choke-points were a strong tool for the information security professional. Virtualized environments risk the return to flat networks internally. With some upfront architectural care it is still possible to design choke points into virtualised environments.

4. Consolidate Security when consolidating data
As data sources proliferate so can the security measures to protect the data. When consolidating data using virtualization to bring business benefits take the opportunity to rationalise and consolidate the data security.

5. Develop Securely
Poorly engineered software is a high risk whether it is hosted traditionally or in a virtualised environment. Always ensure that a Security Development Life Cycle is applied when developing business critical software.

6. Drive out complexity
Complexity is the enemy of security. Resist the unmanaged and unkempt proliferation of Virtual Machines and drive out complexity at all levels.

7. Protect data in motion with active control
Take every opportunity to proactively control all data flows in the enterprise regardless of whether the architecture is virtualised or not.

8. Plan for the worst
Things always go wrong. Good planning and preparation can reduce the risks and costs when things do go wrong.

9. Intelligently Monitor and Audit
Ensure that live monitoring of systems and how they are interacting and passing data is build into the operating environment. Make use of Security Information Event Monitoring systems as well as other audit trails. Be vigilant in manning these monitoring systems so incidents do not go unnoticed. Enact well rehearsed response plans for all incidents.

10. Insist on Data at rest Encryption
The ease with which a VM can be copied and moved to another machine for study makes it important that all data held in the VM be strongly encrypted.

Please feel free to send feedback on this list.

Thursday 16 April 2009

Verizon's 2009 Data Breach Investigations Report: The importance of knowing your database

Yesterday, Verizon issued its 2009 Data Breach Investigations Report, and what stands out is the report’s findings of increased exploitation of known network or database weaknesses by outsiders. Specifically, 91 percent of all compromised records were linked to organized crime groups, and 67 percent of the breaches occurred because of significant errors on the part of the network or database security.

One of the two types of hacking identified in the report, SQL injection, has seen an insurgence since last May, and has been tracked intensively by Secerno. The ability to automate SQL injection attacks has resulted in an explosion in number of these attacks. In plain terms, an SQL injection attack sends an extra command to the database, getting it to perform an action, such as stealing data. When you combine SQL injection attacks with the presence of organized crime, you have a scenario in which data is stolen or manipulated almost immediately for fraudulent means. These are not proof-of-concept attacks or efforts by hackers to make a name for themselves. SQL injection has changed the data breach game by providing a quick means for financial gain for organized crime syndicates and others.

Verizon provided solid recommendations for prevention against data breaches, including not holding sensitive data. Obviously all businesses run on data so this, they admit, is not practicable so they advise “the next best thing is to retain only what is required for business or legal reasons, to know where it lives and flows, and to protect it diligently.

Secerno recommends taking these efforts one step further by understanding typical behavior for all databases, and creating blocks against activity that deviates from normal actions. This granular level of understanding is essential in environments under threat, but, unfortunately it is not commonplace, as Verizon found, 69% of the data breaches were discovered by a third party.

Understanding where data flows and protecting databases diligently is what we do at Secerno.

Wednesday 15 April 2009

The excitement builds towards the RSA Conference

It seems IT security people are turning their attention to next week’s RSA Conference, 20th - 24th April 2009, Moscone Centre, San Francisco. It is probably one of the premiere IT security trade-shows on the planet (Register here to attend).

Secerno will again be actively attending and you can visit us on stand 2259. For me, I have a busy schedule for the week.

First I have a McAfee partner presentation at the theater in the SIA Partner Pavilion (booth #1017). I will be talking about the challenges of data security and how the Secerno and McAfee integration provides a compelling solution.

Later in the same day I am a member of the panel “In The Cloud or on the Desktop? Expert Views of Data Security Trends”. The panel moderator is Dr. Larry Ponemon, Founder, Ponemon Institute and he is supported by an interesting group of panelists: Eva Chen, Trend Micro CEO; Mary Ann Davidson, CSO Oracle; Renee Guttman, CISO Time Warner; and myself, Dr. Steve Moyle, CTO Secerno. There are some lively personalities on the panel, so if the session is even half as interesting as our pre-conference calls, then the audience will be educated and entertained. The Session ID is HOT-107 and will start at 16:10 PST.

Finally, I have a presentation “Beyond Regular Expressions: the Future of Data Protection” on Wednesday 22nd April at 08:00 PST. This is a Network session and I will be driving home, using practical examples, why it is that security founded on regular expression signatures is a technological blind alley. Even more compelling are the mathematical foundations that prove why application languages (like SQL and JavaScript) can never be defended using regular languages (Iike regular expressions). If you want to find out more, feel free to attend Session ID: NET-201.

If you are at the RSA Conference feel free to come and say hello.

Wednesday 1 April 2009

Protecting the April Fool

This year's April Fool's day has had concerns about whether the Conflicker worm will trigger or not. I am keen to go beyond malware and consider a more general security question: How do we distinguish between the fool that only wants to comply with the law and the diligent person that wants to protect their precious assets?

When it comes to physical systems we have all seen it. Take the wearing of helmets for motorcyclists for example. We can only presume that the head is precious enough to protect, but it has taken legislation and policing to get riders to wear helmets. There is a great range of motorcycle helmets on the market with varying features and price.

It is easy to spot those riders that are not interested in true protection – the chopper riders that choose to wear a helmet that is a skimpy fashion item – like the small open face cap that sits on top of the skull. It looks really cool, complies with the minimum standard of the law – but what level of protection does it offer in even the mildest collision? The alternative full-face helmet will truly protect and prevent a visit to the dentist.

Don’t be a data security fool – go beyond compliance and place a full-face security device around your precious data assets.