open
  1 (866) 866-2320 Resources Events Blog

Security Risk Discovered in Infrastructure Changes

Blog

Security Risk Discovered in Infrastructure Changes


 

Cloud Securityby Sasha Gilenson

Infrastructure as a Service delivered in the cloud is now a reality. Adoption of cloud computing brings enterprises many benefits and holds the promise for completing typical IT tasks in hours rather than weeks or months offering greater business continuity, flexible computing power and cost savings. Organizations are increasingly leveraging the cloud, so IT staff can now dedicate efforts for innovation and more time focusing on core business objectives, and not just maintaining systems and infrastructure. 

Cloud computing, whether public or private, represents a big change in how IT is managed, yet the benefits of the cloud don't come without costs. 

As many businesses plan to manage their IT infrastructure in the cloud, it's important to protect both cloud and on-premise infrastructure to ensure that all corporate assets remain secure. To keep an organization's infrastructure and business secure, organizations must enforce the appropriate levels of protection both on premise and in the cloud. The key difference in the cloud model is that it includes external elements, and those elements are managed by the cloud service provider. This means companies need to understand the environment beyond their own data center and consider how it impacts the organization from a security standpoint.

Identify Infrastructure Changes for Cloud Security

The automation of configuration monitoring can pay dividends quickly for maintaining security. When you consider the frequency of updates and changes to IT environments from pre-production to production and DR, quickly identifying changes and their criticality can provide the focus necessary for pinpointing security risks. In an ideal process automation solution, changes to a configuration could immediately trigger an automated notification, giving IT operations constantly updated insight, analyzing the configurations of production assets and comparing them to baselines.

Today priorities of data center security management have changed. Vulnerability threats encompass not just traditional perimeter threats, but also those from within the enterprise, with impact to infrastructure coming from different channels.

Internal intrusion within firewall

The shift from securing maintained IT assets inside the firewall to migrating IT assets outside the firewall is happening, and in the future, IT departments will consist of a hybrid of on-premise and off-premise resources. Now with BYOD, users can access IT resources from their own computers, smart phones and tablets at any time, from outside the firewall.

Virus proliferation

Now intricate viruses can freely invade secure organization from inside. For instance, the Flame was a highly sophisticated computer virus that came into organizations disguised as common business software.

Intentional damage by dissatisfied employee

All it takes to subvert access control mechanisms to cloud instances is an unhappy employee, changing some key configuration parameters.

Innocent, unintentional damage 

Small USB flash drives can cause big security headaches for IT, even with a robust end-point security and established rigid policies. Employees can circumvent security and introduce external applications that can impact the performance of the production environment.

Today's Security Tools

Responding effectively and in a timely manner to information security threats requires the continuous, thorough analysis of an enormous number of ongoing events. Security tools in place today move their emphasis on integration with SIEM Technology (Security Information & Event Management). SIEM technology approaches security by synthesizing the underlying risks associated with complex distributed attacks on large networks, considering the context of each threat and the importance of the assets involved.

SIEM technology evaluates situational risk, discovering network inventory and distinguishes actual threats from the thousands of false positives that are produced each day in every network. McAffee refers to this as 'situational awareness', where a threat manifests itself as a string of anomalous events that could serve as a signal for a security problem.

Risk Discovered in Configuration Discrepancies

At the most basic level, cloud technologies can reduce the number of administrators needed to manage an environment, shrinking the IT staff, and altering the approach to operations. Today there is a new trend based on the idea of NoOps. No, this isn't about outright eliminating the IT operations organization, but rather making the operations team into a smaller, more efficient group. The skillset of this group moves towards automation, and cloud management tools should take this into account.

Simple Tool Setup

Security issues can manifest themselves as changes to an environment's bill of material or environment configuration. These could be innocent updates of registry keys or major changes of security parameters, either programmed or as a result of human errors. By detecting real-time changes that can impact environment safety, IT is better prepared to provide the necessary protection and a more immediate response to potential threats.

For example: We saw a case where an infection/virus penetrated a large organization, and went largely undetected while continuing to viciously operate. Its presence was eventually discovered due to changes that the virus carried out on the operating system localization parameters in the Windows registry. As a result, text representation in certain languages were affected. The virus was detected by chance when a user reported incorrect text representation. 

It is usually hard to identify subtle changes like this, and these changes are done outside the context of system operations, since they are neither planned nor authorized. Standard change management processes might not help to detect such changes, since they are not expected and difficult to show up.

Continuous Monitoring

In today's increasingly complex IT environments, it is not enough to "periodically" detect configuration anomalies. IT needs to be checking for a lack of consistency/normalcy by monitoring for changes continuously. The instant any configuration drifts to what would be considered a critical impact state, the IT team needs to be alerted. In other words, IT needs to understand what changed. Finding these changes in the haystack of complex and dynamic environment early on, can help discover a threat in the system, before it creates further problems.

Recognizing this risk when it entered the organization allows the team to deal with the root cause before a failure registers. Otherwise it is probably too late, and the consequences have already sunk in.

Security Risks in the Cloud

With most organizations focusing on leveraging the cloud in order to cut capital expenditure and control operating costs, cloud adoption is growing aggressively. However, the IT Management for the cloud means considering security risks, which can be more expensive for the organization to deal with, even considering the cost saving that can be achieved by moving to the cloud. 

The issue of cloud security is much more complex than simply "is the cloud secure or not". A cloud-based application can be hosted in a secure environment, with properly encrypted data and protocols, and a harmful change can still affect the application. Damage to just 1 image in the cloud repository can impact thousands of instances spun off from this image. The bottom line here is that change and configuration management should be active on another front, and address security issues. SIEM technologies and change management processes need to be integrated, so as to identify security issues as early as possible.

Your Turn
How are do you see configuration management tools having an impact on security issues?

About the Author
Sasha Gilenson
Sasha Gilenson enjoyed a long and successful career at Mercury Interactive (acquired by HP), having led the company's QA organization, participating in establishing Mercury's Software as a Service (SaaS), as well as leading a Business Unit in Europe and Asia.

Sasha played a key role in the development of Mercury's worldwide Business Technology Optimization (BTO) strategy and drove field operations of the Wireless Business Unit, all while taking on the duties as the Mercury's top "guru" in quality processes and IT practices domain. In this capacity, Sasha has advised numerous Fortune 500 companies on technology and process optimization, and in turn, acquired a comprehensive and rare knowledge of the market and industry practices.

Sasha holds an M.Sc. in Computer Science from Latvian University and MBA from London Business School.