Five Critical Steps for Ensuring Security Policy Protection in Private and Hybrid Clouds

By NFVZone Special Guest
Edmundo Costa, CEO, Catbird
August 25, 2014

Fundamental shifts in data center architecture, specifically virtual networking, have resulted in a highly dynamic and agile infrastructure that is exposing weaknesses in legacy perimeter-based network controls and leaving applications vulnerable to internal threats.

According to Gartner, virtualization had penetrated over 50 percent of all server workloads by the end of 2012, and that percentage continues to grow.  In addition, new software-defined networks (SDN) will further challenge perimeter-based security methods. At the same time, highly automated cloud systems have given us the opportunity to rethink how we can use the power of the Cloud to maximize efficiencies within IT and protect our most sensitive data while also supporting business initiatives.

Until recently, security within the data center was applied in one location – the perimeter. While still a valid place to protect against external threats, the ideology of perimeter security leaves security policy and compliance within private clouds largely static, as Advanced Persistent Threats (APTs) easily penetrate data center infrastructure and mobile devices routinely bypass the perimeter.

Organizations are now looking for ways to address the internal private cloud threat to prevent both accidental and malicious misconfigurations as well as internal attacks.  Today, new developments in security for the virtual and software defined networks are extending and evolving traditional perimeter protections to include detection and enforcement of the policies put in place to address these threats.

Network controls need to be configured according to internal security and compliance policies, then continuously monitored and measured to verify their efficacy and finally, enforced with predetermined alerts and machine-speed mitigation. Through this approach, virtual security becomes dynamic and policy-based and can address many of the challenges network administrators face today.

Five Key Considerations When Approaching Private Cloud Security

To address the security and compliance challenges of the private cloud, it is necessary to enable an automated approach to identify and protect existing and new cloud assets. Consider these five priorities when implementing security in virtualized environments:

1.         DISCOVERY - Discovering your virtual environment, inside and out

Policy decisions that are executed in the virtual environment are highly dependent on the context of the infrastructure. The hypervisor, virtual switch, VLAN, virtual network configurations and VMs are all critical data points to consider in the effort to protect the private cloud.

  • It is crucial to know the precise number of hypervisors, VMs and virtual switches on the network. It is even more important to understand how they are interconnected within the data center in order to apply specific policies to those objects through orchestrated network controls.
  • Consider security solutions that are placed in the logical switching fabric and on the hypervisor to provide different angles from which to correlate observations, such as notification about assets as they announce themselves or what the hypervisor is reporting. Additionally, solutions that run alongside workloads on the virtual switch can provide the ability to inspect all traffic, identify threats and enforce policies.
  • Many network applications today include a dashboard or some form of console for managing the application environment. Cloud security should be no different. When identifying a solution, look for those that include a web management console and central processing hub for all security and compliance operations to give you a holistic view of your virtual network.
  • Today, VMs can be easily copied, cloned, moved or misconfigured. Begin with virtual asset discovery to establish a perfect inventory of all of the VMs and their network configurations across the entire cloud infrastructure, and then isolate sensitive data using zone-based security.
  • Identify solutions that can secure the private cloud with increased visibility and situational awareness with all network controls in the SANS Top 20 Critical Controls framework, such as vulnerability management with configuration checks based on Security Content Automation Protocol (SCAP).

By having a complete context of network activity, we can improve and ensure the network security posture within private clouds, accelerate incident response and forensic analysis and reduce audit and compliance burdens.

2.         ZONING - The importance of network security zoning

The ability to assign VMs to security policy containers, or zone-based security predicated on common trust-class and independent of IP address or network topology, adds a contextual element that allows for more accurate policy assignment.

  • Optimally, an enterprise-wide view of all network flows across these “trust zones,” when drawn in real time, allow administrators to quickly see the virtual network from a security policy perspective. Views of specific firewall rules affecting network traffic, flows and connections can reveal data patterns and a well-rounded picture of network traffic between and within trust zones in the private cloud.
  • Virtual security should also allow firewall rules to be automatically created and updated with any changes to the trust zone membership or VM network configuration and pushed to all virtual firewalls, enterprise-wide. In this way, firewall rules can be automatically updated for any changes to trust zone membership or VM network configurations.

Deploying trust zones at run-time allows assets with different levels of security policies to reside within the same cloud infrastructure. These trust zone policy containers can be used to extend current perimeter isolation. Incorporating new virtual controls operating inside the virtual switch fabric, while validating security posture, will expedite the audit process.

3.         VERFICATION - Continuous monitoring against leading standards

“Trust but verify” is a cardinal rule, especially for detection of accidental or malicious misconfiguration. Validate policies by continuously monitoring the network, including VM configurations and security controls against policy at both the trust zone and individual VM level.

  • Continuously validate VLAN isolation or virtual firewall settings through event capture of data flows, IOS/IPS flows, VM file and network configurations, hypervisor network events and virtual firewall events.
  • Events should be monitored, correlated, logged and made available for real-time visualization and historical reporting and mapped to industry standards such as PCI OSS 3.0, COBIT and FISMA.
  • Through continuous monitoring, ROI can be realized quickly by reducing preparation for assessments, ensuring evidence of control, controlling audit scope creep and eliminating costly audit disruptions.

These efforts will instill confidence in network protections by verifying and validating network controls against hardening requirements and best practices.  Automating event-capture and mapping to standards through real-time visualization and audit reporting will unburden scarce IT personnel from manual audit processes.

4.         ENFORCEAutomate mitigation at machine speed

Business groups demand quick deployment of applications, while IT demands efficiency. In a private cloud or virtual data center, solutions should enable policy that is both verified and enforced at the asset level. This dramatically improves incident response times and reduces audit costs.

  • Mitigate attacks by reducing the threat footprint and applying targeted security policies to block known exploits, viruses, spyware, botnets and APTs as well as accidental or malicious misconfigurations and insider threats.
  • Look to configure the system so that events that violate trust zone policies will result in automated alerts. Alerts should also trigger optional automated mitigation to enforce policy and maintain compliance.
  • Use existing Virtual Local Area Network (VLAN) isolation across the data center. The most common mechanism for isolating converged infrastructure is through logical isolation with VLANs. Given the risks associated with a breakdown in VLAN isolation due to accidental or malicious misconfigurations, best practices and security standards are calling attention to the need to verify, validate and mitigate.

5.         TAKE ACTION

With powerful security protection in place, IT and business groups can make more informed decisions, deploy new applications quickly and closely manage their policies. In order to accomplish these directives, private and hybrid cloud IT administrators will be able to achieve the following:

  • Gain access to total visibility of the private cloud network, with a perfect inventory of all VMs.
  • Automate trust zones to ensure that assets are protected by previously defined policies.
  • Extend perimeter-based VLAN isolation with additional controls and enable virtual firewalls isolation where appropriate.
  • Automatically apply virtualized policies to individual or groups of VMs in order to actively monitor and enforce them from inception to retirement.

Empowering administrators to dynamically create security policies, on demand and in real time, will safely enable sensitive and mission-critical workload migration to private clouds.

About the Author: Edmundo Costa joined Catbird in 2007 and is a software industry veteran. He brings over 20 years of executive experience growing companies from their early stages through to IPO. As the CEO, he leads Catbird’s pioneering efforts to deliver a new approach in the enterprise security market, ensuring that virtual and cloud infrastructures are secure and compliant. Prior to Catbird, Edmundo was a founding member of Tarantella, Inc. and held executive positions at The Santa Cruz Operation (SCO). He also worked at Accenture. He received his MBA from Harvard Business School and is a graduate of Cornell University with dual degrees in Operations Research & Information Engineering and Economics. 

Edited by Maurice Nagle
Related Articles

New Partnership Helps Service Providers with SDN

By: Frank Griffin    3/30/2017

A new partnership between Packet Design and NEC/Netcracker is going to give service providers new tools to implement software-defined networking (SDN)…

Read More

Brain4Net's New SDN Services Mean More Value

By: Steve Anderson    3/23/2017

Brain4Net brings out a line of carrier Ethernet services built around SDN, which join with virtual network services to create greater value.

Read More

TMC Announces 2016 SDN Product of the Year Award Winners

By: TMC    1/18/2017

TMC, a global, integrated media company helping clients build communities in person, in print and online, announced today the winners of the 2016 SDN …

Read More

Juniper to Buy AppFormix

By: Paula Bernier    12/5/2016

Juniper Networks recently announced plans to buy cloud optimization platform provider AppFormix. The deal is expected to close this quarter.

Read More

Vidder Expands on PrecisionAccess with Automation, Channel Efforts, Etc.

By: Paula Bernier    11/28/2016

Security company Vidder, which sells the PrecisionAccess software-defined perimeter service, continues to build on its momentum with new customers, ne…

Read More