Edward Snowden’s NSA security breach and Target’s point-of-sale malware fiasco have changed the online security landscape, panelists at VMworld 2014 said. What lessons should IT leaders learn in the wake of these high-profile cases?
A breakout session titled “The Insider Threat and the Cloud” featured five security experts who have seen their fair share of breaches over the years. They detailed the immediate threats facing IT administrators today — threats that could come from within their own teams.
There's no getting around it, panelists said: Much of today's security infrastructure is full of holes created by lax policies, human error and mounds of unstructured, unprotected data. A gulf has emerged between the convenience of the cloud and the security of isolated, on-premises servers, and attackers are taking advantage of these weaknesses in publicized and unpublicized hacks.
The problem was highlighted during Monday's keynote address, when VMware CEO Pat Gelsinger told the audience that security has become the biggest inhibitor to international adoption of the public cloud.
Rick Holland, principal analyst of Forrester Research, hosted the panel on insider threats. He said virtualization has made work easier, but malicious attacks can exploit the weakness created by having resources gathered in the same place. Attacks from inside secure networks have become the foremost security threat in recent years, but not every company spends enough time preparing for them, he said.
"Once an attacker gets into this very automated, scalable infrastructure, they can cause a lot of pain," Holland said.
Holland recounted the details of a recent hack in June that forced Code Spaces, a startup in the Infrastructure as a Service arena, to close its doors. An attacker had compromised their internal security through a distributed denial of service (DDoS) attack, then gained control and demanded a ransom from the company. When Code Spaces officials refused to pay, the attacker responded by deleting all data, including backups, from the company's cloud provider, the Amazon Elastic Compute Cloud. The damage was unrecoverable.
Holland called this extortive method of attack the "Tony Soprano DDoS," and it's becoming more common, he said.
"It's the all-your-eggs-in-one-basket problem," said panelist Eric Chiu, the founder and president of HyTrust, a cloud security firm.
Chiu's firm recently worked with a large U.S. bank, which after auditing the permissions of their network admins, realized that one person — the virtualization admin — wielded almost absolute power over the bank's online presence.
"The entire bank could be taken out by the right virtualization admin with the right script," Chiu said.
The nature of the problem precludes an obvious solution, said Davi Ottenheimer, EMC's senior director of trust. Companies increasingly want more security without sacrificing agility.
"On the one hand, we want massive availability, and part of that is destroying every perimeter in the world," Ottenheimer said. "On the other hand, we try to build perimeters everywhere. So how do you lock down everything in the data centric model?
"That's a really hard problem, because you're trying to solve essentially opposed problems in terms of trust," he said.
Ottenheimer said one solution lies in adopting a classification strategy. Such policies assign data with roles to ensure they aren't exploited.
A similar approach can be taken with people by building a policy that serves as an insider threat detector. Using behavior profiles on each administrator, a company can establish red flags for restricted activities, so that when a threshold is crossed in an administrator's daily workflow, it can be reviewed and action taken if necessary.
In 2008, Terry Childs, a former network engineer, held the keys to the castle, so to speak, in his job as a network admin for the city of San Francisco. He was charged with computer crimes for refusing to turn over the all-access key he had developed for the city’s FiberWAN network, which carries more than 60 percent the network traffic between city government departments. Ottenheimer said officials knew Childs had been acting strangely, but had no policy in place for responding once it was clear he had become a liability to their network security.
A behavior profile might have worked in this situation, Ottenheimer suggested. By combining the employee knowledge of human resources with the network knowledge of IT, a company can identify insider threats before they cause major damage, Ottenheimer said.
Another solution, offered by Noah Weisberger, director of cloud and virtualization at Coalfire, an IT audit and compliance firm, is to restrict access to a network’s most powerful features to a two-person key process. This technique limits risk by requiring human collaboration to change anything. The challenge then becomes overcoming the practice and implementation of a restrictive policy.
Weisberger also said that too often companies “overencrypt” their data. But encrypted data can’t be monitored easily. In an attack scenario, having oversight of data is often just as important as having it locked down. Instead, he suggested specific, scalable encryption to protect the most valuable levels of data.
Ottenheimer disagreed, saying companies shouldn’t get in the habit of only encrypting certain data, because security could then be applied too thinly when dealing with massive amounts of data.
The pair also disagreed over how closely to scrutinize data being uploaded to a cloud environment. Weisberger said a plan must be in place for the full lifecycle of a data set, with policies for several possible outcomes in case of security threats.
“Never push anything into the cloud that you don’t fully understand,” Weisberger said.
To which Ottenheimer quickly replied: “Then never push anything to the cloud.”
To view more of our VMworld coverage, visit our VMworld 2014 conference hub.