Virtual Compliance In The VMware Automated Data Center

Transcription

1 Virtual Compliance In The VMware Automated Data Center July 2011 LogLogic, Inc Worldwide Headquarters 110 Rose Orchard Way, Ste. 200 San Jose, CA United States US Toll Free: Tel: Fax: LogLogic UK Tel: +44 (0) Fax: +44 (0) LogLogic France Tel: +33 (0) Fax: +33 (0) LogLogic GmbH Tel: Fax: loglogic.com blog.loglogic.com

2 This paper describes log management in virtualized environments-its challenges and opportunities. We will cover the similarities and differences in logging for virtualized environments versus physical environments. Introduction to Logging A well-known maxim proclaims that knowledge is power, but where do we get our knowledge about information technology (IT) components such as computers, networking gear, application frameworks, SOA web infrastructure and the like? The richest sources of such information that is always available but often overlooked are the logs and audit trails that are produced by these systems and applications. Through logs, audit trails and various alerts, information systems often give signs that something is amiss, or an event logged in the log files provides insight into future problems. Logs can also reveal larger weaknesses that may affect regulatory compliance and even IT governance, and, by extension, corporate governance. However, more often than not, it s difficult to extract information from log files and distil the data into useful and usable or actionable information. To start from the top, logs equal accountability. Wikipedia defines accountability as: a concept in ethics with several meanings often used synonymously with such concepts as answerability, enforcement, responsibility, blameworthiness, liability and other terms associated with the expectation of account-giving. There are many other mechanisms for accountability in an organization, but logs are the most common and most prevalent. To be clear, if your IT staff is not accountable, your business is not accountable. Unless you take logs, and the practice of managing them, seriously, you may be sending out the message that your organization shuns accountability. Along the same lines, logs are also immensely valuable for meeting regulatory compliance. Many recent US laws including HIPAA, PCI, Sarbanes-Oxley (SOX) and others have requirements related to log auditing and the handling of those logs. Introduction to Virtualization The inexorable trend toward server virtualization makes it possible to combine multiple diverse systems onto a single hardware platform, thus shrinking server, storage and networking costs, reducing power requirements (through a direct decrease in consumed energy and cooling costs), increasing utilization of existing computing resources and improving productivity. The impact is significant; Garter reports savings of up to 25 percent due to server consolidations and decreased hardware purchases LogLogic, Inc. All Rights Reserved 2

3 Virtualization also simplifies server provisioning, increases the average workload per server and shrinks server administration workloads, reducing the amount of required hardware purchases. Organizations save money through better hardware utilization. Simplified backup and recovery is also possible, because virtual machines can be brought back online much faster than physical machines. Virtual platforms such as VMWare ESX and their management tools enable the smooth transition from a physical to a virtual environment. It all sounds good, but what happens to logs, logging and log management when IT environments are virtualized? Logging Meets Virtualization As one can guess, virtualization platforms present new sources of logs to manage. In addition to having new log information to collect and analyze, we new challenges to logging and log analysis arise, such as the potential need to review access logs collected while virtual machine images were inactive. In addition, new opportunities for log management are also present, such as ensuring new virtual images are pre-configured with central logging capabilities. There may be ways to use logs to solve new problems, such as monitoring health and uptime status of virtual platforms and application stacks. The ubiquitous nature of log management allows the development of new operational, security and compliance solutions for virtual infrastructures using the tools we already have. What Stays the Same? First, let s review what stays the same. A virtual server is still a server complete with operating system and applications, and logs that must be collected, retained (for security and compliance reasons) and analyzed, just as they do in physical environments. The rest of IT infrastructure stays the same: routers still route network traffic, switches perform switching, firewalls and other network security devices perform their functions on network traffic, etc. In other words, IT infrastructure with virtual platforms, hosts systems and guest systems are largely the same as those with all physical elements; with all the usual logging that needs to be managed. Similarly, networking between guest systems running on a single virtual platform resembles networking between physical machines, and needs to be monitored and audited just like on a physical network. In a virtual environment, servers are still provisioned, modified and configured by system administrators, and of course accessed and utilized by end users. Such activities create audit trails that are collected and reviewed in just the same manner as are physical environments. For example, if an MS SQL database server is running on Windows 7 operating systems, but this Windows system itself sits atop of a Linux-based VMWare ESX host, both Windows logs and MS SQL audit trails must be collected and analyzed for access violations, new user accounts, data access attempts or unauthorized changes to database structures LogLogic, Inc. All Rights Reserved 3

4 In short, the advent of virtualization is not a reason to throw away tools that work for you in physical environments. They will continue to deliver value and help your IT and business to operate efficiently, be secure and compliant with relevant regulations, especially given the fact that the future belongs to a mix of physical and virtual environments. What Changes? On the other hand, virtualization has brought a lot of new technologies (all with their own logs) as well as new problems for IT departments to solve. Such problems might not have any equivalent in the physical world, where a server always meant a piece of hardware plus an operating system plus one or more of user applications running on it a worldview that virtualization is making obsolete. A virtual platform comprises a hardware platform, operating system and a hypervisor, or virtual machine software that enables other systems to run on top of it. Such a setup gives way to several major changes: New logs include hypervisor application logs, record virtualization-specific activity logs (new guest image creation, guest operating systems startup, patch access, etc). These logs must be understood by log management tools as well as the virtual machine administrators. Aggregation of servers on one hardware platform calls for stricter availability monitoring. Indeed, recovering a virtual machine image from backups might be relatively simple, but availability monitoring must still be stringent. Log management tools and possibly other monitoring tools must be deployed with real-time alerting to notify the administrators of impending fault and possible crashes or problems. Stricter host platform security monitoring will help manage breaches into the virtual infrastructure world. Extensive logging, log collection and analysis will allow thorough incident investigation. Such logs include security incident response and forensics activity across virtual farms, as well as across massive SAN arrays that house virtual machine images. Management tools such as VMWare vcenter that enable organizations to deploy and control virtual server farms introduce their own logs and logging challenges. For example, logging the activities of server administrators means recording the provisioning, configuration and status changes of virtual machines performed via such management tools. As virtual machines proliferate across an enterprise s IT infrastructure, physical hosts are retired, and new technologies must be used to secure and manage the virtual machines. Activity such as patching, management, configuration and deployment and migration of virtual machines must be logged and monitored, just like in a physical environment. Controlling and auditing these virtualization-specific activities makes another excellent use case for logs LogLogic, Inc. All Rights Reserved 4

5 Beware of Rogue Virtual Machines Finally, rogue virtual machines pose a unique security problem. If users provision their own virtual machines and their own guest systems, tracking such activities across the organization, presents a worthy challenge for example, if a unauthorized application, that would otherwise be banned, runs in its own virtual image, enforcing the security policy becomes harder since endpoint monitoring tools might not see through the virtualization veil. Rogue machines deployed in the cloud via Amazon web services, for example, present the ultimate challenge of this type. If a system resides on somebody else s virtual platform in the cloud, the chances of getting evidence of activities on such systems becomes next to impossible. Logging and Virtualization The Good, the Bad and the Ugly At this point it should be clear that changes that IT staff must face as virtualization becomes a reality in the datacenter are indeed massive. For IT staff tasked with logging activity across the infrastructure, these changes can be good, bad or ugly: They re good because it s easier to provision systems with centralized logging already enables. IT staff can also retrofit other systems by adding logging to the virtual image of that system. Moreover, current logging tools such as LogLogic will still work a major good point. They re bad or partly bad because there are new logs to collect and analyze and new activities to track and monitor. Virtual machines must be closely watched for availability and security issues and to ensure they comply with policies and regulations. They re ugly sometimes, because unmanaged virtual machines can pop up on the organization s systems or even in the cloud, violating IT policies and presenting significant enforcement and investigation challenges. Logs Help Virtualization In addition to being affected by it, logging and log management can also augment virtualization projects, especially in the areas of security, compliance and manageability. Security: Logging creates a trail of accountability for users and, especially, those privileged to access the underlying hypervisor. Tracking access to virtual machine hosts system and inactive guest images creates a trail that can be used for monitoring and auditing, as well as investigations for cybercrime or insider abuse. Perusing logs for security-relevant failures, such as missing controls, unauthorized access or unapproved changes is just as helpful in a virtual environment as it is in a physical environment. Compliance: Recent mandates such as PCI DSS 2.0 (and its June 2011 information supplement PCI DSS Virtualization Guidelines ) and others require logging, log collection and retention, log analysis and review, and log protection. For example, logging is one of the 12 PCI requirements (Requirement 10), whether the environment is physical or virtual. Hence, logs from virtual machines must be given at least as much importance as logs from physical environments 2011 LogLogic, Inc. All Rights Reserved 5

6 Manageability: Administrators and system operators benefit from logging, as well. Monitoring for failures and errors as well as general virtual machine health is not possible without effective log management. Conclusion Along with all the promise and benefits of a virtual infrastructure comes significant change, requiring new ways for organizations to collect and manage logs. However, existing log management tools such as LogLogic log management appliances can still be leveraged to address these new logging challenges, and to optimize, secure and bring into compliance newly virtualized IT infrastructures. Shameless Plug As part of VMware s Technology Alliance, LogLogic is uniquely working with VMware to instrument the vcloud stack vcloud Director, vcenter Server, ESX / vsphere Server and vshield Edge. The joint solution will give you 360 insight in to your VMware agile world. LogLogic gives you the ability to build a flexible framework that positions you for the future, but that builds on the investments you ve already made. LogLogic uniquely pre-parses your VMware log files, giving you insight in to your automated environment without the need for you to configure, tune and manually edit. We then auto-map all this knowledge against our known mandate controls database, giving you reports and alerts, again without the need to configure, tune or manually edit system configuration settings. We provide all this to you on a platform that itself is virtualized so it sits nicely within your management domain. LogLogic auto-identifies and tracks users and applications as they move from VM to VM, intelligently routing messages to one of many LogLogic appliances you may be spontaneously creating and destroying to maintain data separation and integrity. The architecture that makes all this viable was co-created between LogLogic and VMware and is now being adopted by major MSP s as the way to instrument the cloud. LogLogic is the only vendor in the SIEM market that has technology fully certified by Cisco to support your Lean Branch Infrastructure. So if you re deploying your VMware environment within remote Cisco cabinets, with have a unique solution for you. Compliance, security, and the need to operate an efficient IT infrastructure requires greater visibility and control of assets. Regardless of which business driver you have, you ll always need alerting, searching and reporting as part of the solution. That s what we do at LogLogic: we Get all IT data, regardless of source or type; See it by centralizing, augmenting, enriching, parsing and understanding your data; then we Use the data by smartly passing it to the appropriate analytic engines. Get, See, Use enables you to exceed your compliance, security, and efficiency goals for your VMware automated datacenter. LogLogic is a registered trademark in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. LogLogic reserves the right to alter product offerings and specifications at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document LogLogic, Inc. All rights reserved. Rev