Virtualization Under Control: How to Virtualize More by Virtualizing More Securely

Transcription

1 WHITE PAPER - MARCH 2013 Virtualization Under Control: How to Virtualize More by Virtualizing More Securely Virtualization is becoming ubiquitous thanks to financial benefits, management flexibility, and disaster recovery capabilities. However, management flexibility is often the source of increased risk, especially if the underlying platform itself is not properly secured. This paper describes the various risks that must be addressed in order to ensure the most widespread adoption of virtualization throughout the enterprise.

2 How to Virtualize More by Virtualizing More Securely TOC Contents 1. Executive Summary 2. Introduction 3. Virtualization Reaches an Inflection Point 4. The Need for Virtualization Platform Security: Identifying the New Risks a. Access Risk b. Policy Risk c. Configuration Risk d. Visibility/Compliance Risk 5. HyTrust Appliance: Virtualization Under Control 6. How Does VMware vcenter Fit into this Picture? 7. Conclusion 2

3 How to Virtualize More by Virtualizing More Securely Executive Summary Executive Summary The momentum behind virtualization will continue to propel more tier-1 mission critical applications into the virtual infrastructure. Failure to adequately address the risks and satisfy auditors will result in more stalled virtualization initiatives, more material deficiencies discovered during audits, and more compromised virtual environments. While vcenter undoubtedly fulfills a major requirement for enterprise-class virtualization, it does fall short of addressing some of the security and compliance requirements that have begun to materialize as organizations expand into tier-1 mission-critical applications. HyTrust Appliance is a network-based policy management solution for virtual infrastructure that provides administrative access control, hypervisor hardening, and audit-quality logging. Complementing vcenter, HyTrust Appliance not only addresses the access control and policy management requirements for enterprise virtualization, but also protects vcenter from unauthorized access and misuse. HyTrust empowers organizations to fully leverage their investment in virtualization by delivering enterpriseclass controls for access, accountability, and visibility. Introduction Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants. The combination of more workloads being virtualized and workloads becoming more mobile creates a complex and dynamic environment that will be more difficult to secure. Neil MacDonald, Gartner, Inc. Virtualization is becoming increasingly ubiquitous in the datacenter thanks to its numerous benefits and rapid return on investment. Unfortunately the increased flexibility of virtualization, which enables so many of its benefits, can simultaneously increase security risk and complicate compliance initiatives. Failure to address these concerns can hamper efforts to virtualize critical applications or can prevent virtualization initiatives from moving forward. As an organization begins to virtualize more significant (or more sensitive) parts of its infrastructure, the organization must be able to confidently address these newly introduced risks. And, in some cases, must demonstrate those efforts to third-party auditors. How does an organization ensure today that someone won t snapshot a server with sensitive data onto USB memory? Or that someone won t accidentally power off a core (virtual) switch or perhaps a corporate server? Or that someone won t move a virtual machine that contains credit card information or health care records from a private host onto a public host? Or that someone won t share the root account on a host among multiple administrators and third-party consultants? As market leader in virtualization, VMware has created an incredibly robust platform and taken a substantial lead among its competitors. VMware vcenter Server was built to centrally manage VMware vsphere environments and provides some powerful virtualization management capabilities for fault tolerance, capacity management, and high availability. As organizations begin their push to virtualize tier-1 mission critical applications however, they find that vcenter lacks the appropriate capabilities to specifically address each of the risks identified above. 3

4 How to Virtualize More by Virtualizing More Securely Virtualization Reaches an Inflection Pt. For organizations seeking to maximize the return on their investment in virtualization that have limited their enterprise virtual footprint due to this lack of visibility and control, HyTrust Appliance delivers enterprise-class controls for access, accountability, and visibility for virtualization infrastructure. Complementing vcenter, HyTrust Appliance systematically addresses each of the key risks identified above, enabling organizations to confidently deploy virtualization throughout the enterprise and satisfy the requirements of their auditors in the process. Virtualization Reaches an Inflection Point Ten years ago, virtualization was primarily confined to the test and development environments of most organizations. Fast-forward to today and virtualization has almost become mainstream across corporate IT infrastructures. While still largely limited to lower-priority or internal applications in many organizations, the trend toward virtualizing tier-1 business-critical applications is undeniable. Many organizations have gone so far as to adopt a virtualize first policy. The reason for this shift is simple: virtualization brings with it enormous benefits and, in many cases, a significant return on investment. The numerous benefits lower hardware and operating costs, greater flexibility, higher efficiency and performance have spurred the rapid adoption of virtualization technology throughout the corporate data center. The question remains, however, if virtualization brings such significant benefits and cost savings then what is preventing the adoption from spreading further and faster into tier-1 business-critical applications? The primary barrier to more widespread adoption is risk. The proliferation of server virtualization, as with any disruptive technology in the datacenter, is eventually limited by its impact on management and control processes. Dave Bartoletti, Taneja Group As organizations max out on virtualizing lower-tier applications and begin to extend the virtualization footprint to include business-critical applications, greater scrutiny over the infrastructure accompany the shift. Business units have demands about application availability. Security managers have concerns about new attack vectors. Auditors flag deficiencies in the virtual infrastructure that can lead to the compromise of sensitive data. Satisfying all of these stakeholders is a new challenge to the proponents of virtualization but not an insurmountable one. The Need for Virtualization Platform Security: Identifying the New Risks The hypervisor is at the center of any discussion about virtualization. Residing atop the physical hardware (i.e. the physical machines or hosts), the hypervisor allows multiple operating systems (i.e. the virtual machines or guests) to share the underlying physical resources. As such, a new layer of management is introduced at the virtualization platform-level along with new management capabilities that previously did not exist. For example, virtual machines that run low on compute resources can be instantly relocated to a new host where there are resources to spare. Virtual machines can also be snapshotted or saved as a digital file, much like one would save a PowerPoint presentation. 4

5 How to Virtualize More by Virtualizing More Securely Identifying New Risks In a purely physical data center, the ability to remove a server from a rack and take it out of the server room would probably require keycard access just to get into the room and a physical key to unlock the server rack. In highly secure areas, the whole activity might even be captured on a security camera that is remotely monitored. By contrast, in the virtual data center, an entire server can be downloaded to a laptop or copied onto USB memory. As organizations move beyond the low-hanging fruit of workloads to be virtualized, more critical systems and sensitive workloads are being targeted for virtualization. This is not necessarily an issue, but it can become an issue when these workloads are combined with other workloads from different trust zones on the same physical server without adequate separation. Neil MacDonald, Gartner, Inc. Clearly, there is great power in the capabilities that accompany virtualization but with each new piece of functionality, organizations must question whether the risks are acceptable or if they must be mitigated. The risks that were acceptable for virtualizing lower-tier, non-critical applications are proving to be more daunting as organizations attempt to virtualize tier-1 mission-critical applications. The risk to tier-1 applications can be broadly categorized into four areas: policy, access, configuration, and visibility/ compliance: 1. Access Risk refers to the risk associated with the remote management capabilities inherent in virtual infrastructure. As more infrastructure is virtualized (e.g. server operating systems, applications, networks, etc.) the lines become very blurry between various stakeholders (e.g. system admins, application owners, networking engineers, etc.). Individuals often step on one another s toes in the chaos that ensues because enforcing separation of duties is extremely difficult. Funneling all users through a single system for management (e.g. VMware vcenter) proves impractical as administrators utilize preferred methods such as SSH to access the hypervisor and third-party management applications rely upon VMware management APIs. Perhaps riskiest of all is the fact that many organizations allow root access to the hypervisor via shared passwords among administrators, which is extremely troubling given the powerful capabilities afforded to anyone who has root access. 2. Policy Risk is inherited primarily from the fact that virtual machines carry certain properties that are quite different than those carried by there physical counterparts. For one, virtual machines have a degree of mobility not found in the physical world, sliding seamlessly across the virtual infrastructure. As mentioned above, virtual machines can theoretically attach to any available physical host and/or virtual network. As such, it is easy to envision a scenario where a machine that contains sensitive data (hospital patient records or credit card transaction data) is accidentally connected to a host or a virtual network where it becomes exposed to the public. Another example of policy risk stems from the unique ability to not only move virtual machines from within the management plane but also to easily power them off. Again, it is not difficult to imagine a situation where a core virtual switch or a virtual corporate server is accidentally powered off, creating a denial of service for others in the organization. 5

6 How to Virtualize More by Virtualizing More Securely Identifying New Risks 3. Configuration Risk stems from the hypervisor configuration settings specifically. Because of the unique position that the hypervisor occupies within the virtual infrastructure, configuration is highly critical. In other words, an improperly configured hypervisor is susceptible to compromise and a compromised hypervisor puts everything in the stack above it at risk. As more tier-1 application and core infrastructure is virtualized, putting the entire stack at risk will be unacceptable. To date, many organizations chose to combat configuration risk of the hypervisor with scripts but increasingly run into problems trying to scale this arrangement. 4. Visibility/Compliance Risk refers to the opacity and complexity inherent in the management of virtual infrastructure. With multiple individual accessing the hypervisor (including the nearly anonymous who share root passwords) over multiple protocols and access methods (SSH, Web, vsphere Client, etc.) it becomes increasingly difficult to determine who gained access to the environment and who did what once inside. Without a definitive repository of user-specific logs with a certain level of integrity (i.e. assurance that no tampering has occurred) many organizations will be hard pressed to virtualize more tier-1 mission-critical applications. This is especially true in the case where an audit of the system is required for compliance (e.g. PCI-DSS, SOX, HIPAA, etc.). 6

7 How to Virtualize More by Virtualizing More Securely HyTrust Appliance Addresses the Risk HyTrust Appliance Addresses the Risk HyTrust Appliance is a network-based policy management solution for virtual infrastructure that provides administrative access control, hypervisor hardening, and audit-quality logging. HyTrust empowers organizations to fully leverage their investment in virtualization by delivering enterprise-class controls for access, accountability, and visibility. Specifically, HyTrust Appliance provides four key capabilities, each designed to combat the risks identified above and enable organizations to confidently expand their virtual footprint to include tier-1 missioncritical applications. Unified Access Control: Enables the definition and enforcement of highly granular access policies for virtual infrastructure, according to various factors such as management operation, user role, virtual machine, access protocol, IP address, virtual network, virtualization host, and more. Integrates seamlessly with existing third-party directory servers and two-factor authentication solutions to authenticate users who attempt to access virtual infrastructure. Provides consistent access control at the hypervisor-layer to secure the virtual infrastructure while simultaneously allowing for the ultimate in management flexibility by incorporating all access methods, including VMware vsphere Client, web client, and SSH. Additionally, offers a turnkey solution to ensure secure privileged account access. As we begin to embrace virtualization, Active Outdoors recognizes the need for additional controls to secure the virtual infrastructure. Active Outdoors has chosen HyTrust Appliance to address these identified needs. HyTrust Appliance will enable us to enforce access control and segmentation across our virtual infrastructure. HyTrust will give us the ability to confidently virtualize our infrastructure--enjoying all the benefits of virtualization--without compromising the security of our customers or putting our compliance efforts at risk. Greg Collett IT Security at Active Virtual Infrastructure Policy: Enables the creation of enforceable constraints that may be applied directly to virtual machines, virtual switches, hosts and other objects within the virtual infrastructure via user-defined Object Policy Labels. Provides a level of abstraction beyond hierarchical folders, enabling highly granular and flexible policy definitions. Enables true operational-readiness within virtual infrastructure by allowing organizations to dictate strict, enforceable controls over the environment that map precisely to their operational requirements. Hypervisor Hardening: Can assess VMware vsphere hosts to identify configuration errors using pre-built assessment frameworks, such as PCI DSS, C.I.S. Benchmark, VMware Best Practices, or even custom user-defined templates. Actively eliminates configuration problems quickly and easily via active remediation. Allows proactive monitoring of hosts, eliminates configuration drift, and ensures ongoing compliance according to a defined standard, all without manual effort or scripts. Audit-Quality Logging: Provides granular, user-specific, virtual infrastructure access log records that can be used for regulatory compliance, troubleshooting, and forensic analysis. Offers a high level of visibility into the state of virtual infrastructure. Can be utilized for monitoring, alerting, and reporting, based on changes over time. Integrates seamlessly with all major log management and monitoring solutions via syslog and secure syslog. Enables quick and easy access to logs without the need for special connectors, manual integration, or disparate log aggregation and correlation systems. 7

8 How to Virtualize More by Virtualizing More Securely VMware vcenter How Does VMware vcenter Fit into this Picture? Gartner research indicates that, at YE09, only 18% of enterprise data center workloads that could be virtualized had been virtualized, with the number growing to more than 50% by YE12. As more and more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address. VMware vcenter Server was built to centrally manage VMware vsphere environments and provides some powerful virtualization management capabilities for fault tolerance, capacity management, and high availability. As organizations begin their push to virtualize tier-1 mission critical applications however, they find that vcenter lacks the appropriate capabilities to specifically address each of the risks identified above. First and foremost, as a core element of the infrastructure, vcenter serves in a vital capacity for virtual infrastructure the brains of the operation. As such it should be protected from threats. Even though vcenter has some built-in access control and policy management capabilities, it is a security best practice to separate the management functions from the security functions so that vcenter does not become a single point of failure. Access should be limited not from within vcenter but rather should be limited to vcenter. Placing vcenter behind the protection of HyTrust Appliance ensures that vcenter remains less vulnerable to improper access and can continue to perform its primary management function without interruption. Another reason that vcenter should not be called upon to address the risks identified above is the lack of visibility into host-level operations. From its vantage point inside the virtual infrastructure architecture, vcenter lacks a comprehensive view. Without the ability to see all host-level operations, it is impossible to control (and log) everything that transpires. HyTrust Appliance provides a single point of visibility and control for all host-level operations, which ensures the consistency in policy that is mandatory for the virtualization of tier-1 mission critical applications. Lastly, it is worth noting that vcenter was built from the ground up as a management application, not a security application. As such, vcenter was not built to provide the granularity in policy enforcement that is a requirement for more secure deployments. That lack of granularity in enforcement carries through to the logs, which are quite adequate for troubleshooting but lack the specificity demanded by auditors. vcenter also lacks a federated architecture, which again makes it susceptible to becoming a single point of failure and also makes it difficult to deploy consistent policies across a large enterprise. HyTrust Appliance not only employs a federated architecture but also provides granular object-level controls and granular user-specific logs that will satisfy the scrutiny of any auditor. 8

9 How to Virtualize More by Virtualizing More Securely Conclusion Conclusion There is no question that the momentum behind virtualization will continue to propel more tier-1 mission critical applications into the virtual infrastructure. Despite the numerous benefits primarily the flexibility and the cost savings organizations will move much more cautiously down this path due to the newly introduced risk and the increasing value of the virtual assets (e.g. servers with sensitive data, core infrastructure, etc.). Failure to adequately address the major risks policy risk, access risk, configuration risk, visibility/compliance risk will result in more stalled virtualization initiatives, more material deficiencies discovered during audits, and more compromised virtual environments. HyTrust Appliance 2.0 delivers virtual infrastructure control and compliance by simplifying and automating all essential elements of platform security and is well positioned to become an essential part of virtualization reference architecture. - Dave Bartolett, Taneja Group. While vcenter undoubtedly fulfills a major requirement for enterprise-class virtualization, it does fall short of addressing some of the security and compliance requirements that have begun to materialize as organizations expand into tier-1 mission-critical applications. Complementing vcenter, HyTrust Appliance not only addresses the access control and policy management requirements for enterprise virtualization, but also protects vcenter from unauthorized access and misuse. As a VMware partner, HyTrust is committed to ensuring that our joint customers are able to confidently deploy virtualization throughout the enterprise. HyTrust Appliance systematically addresses each of the key risks identified above, enabling organizations to confidently deploy virtualization, address each of these major risks, and satisfy the requirements of their auditors in the process. HyTrust Appliance is a network-based policy management solution for virtual infrastructure that provides administrative access control, hypervisor hardening, and audit-quality logging. HyTrust empowers organizations to fully leverage their investment in virtualization by delivering enterprise-class controls for access, accountability, and visibility. Contact Information Information on the HyTrust solution and discussions of current and prospective HyTrust users is available from the community development page on our web site: You can also reach our sales department at: sales@hytrust.com HyTrust is ready to answer questions, evaluate an organization s requirements for virtual infrastructure security, and explore how HyTrust can address those needs. 9

10 2013 HyTrust, Inc. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of HYTRUST, Inc. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. HYTRUST, Inc. may make improvements in or changes to the software described in this document at any time. HyTrust and HyTrust logo are trademarks or registered trademarks of HYTRUST, Inc. or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. 10