How Ashley Madison Makes Security Sexy

Bringing Sexy Back to Security, ok maybe not back maybe making security sexy for the first time is more appropriate. Thanks to the recent Ashley Madison hack folks are actually equating sex and security more than ever. Thank goodness for that because security really needs to be viewed in a better light even if it is a red light.
Queue someone singing Roxanne.

While full details haven’t been exposed as to how Impact Team were able to so easily crack into Ashley Madison’s network and PWN them harder than a teenage Modern Warfare team playing against a group of kindergarteners. What was explained was that once they were in there was no security internally everything was easily exposed. Evidentially once in the hackers could VPN to every server in the environment with user name root and password of Pass1234. That’s the kind of password an idiot would have on their luggage.

If the importance of this last bit doesn’t immediately jump out at you it’s not that the breach happened, because they too often do. It’s that people suck at security. People are our biggest vulnerability in any environment.

I have had so many conversations with folks regarding security policies and whether they actually make organizations more secure. Odds are no, the policies most likely do not secure the environment. Instead the policies act as a way to set guardrails for users. This helps to curb behavior and drives users in the direction the company wants them to go. It’s like herding cats.

The same who argue against using ridiculous policies, and believe me I have been privy to some really bad security policies, say that what we really need is better training for the employees. Here is where I call BS, SUPER DUPER MAJOR BS. How many of you have to do quarterly or annual training? How many of you then actually do it vs. hit play on some video recording and go to lunch? Hell I have been guilty of that when the training doesn’t actually apply to me but I have to do it anyway. Training doesn’t help either if a breach actually happens or there are regulatory violations that result in fines either, “Oh but we trained our people” doesn’t really get you out of the fines.

So how then does anyone operate securely, is it just replacing the humans with robots?

Look I am not trying to stand on a soapbox and say that I have the answers, what I am saying is security is about risk management. You manage risk in three ways, accept it, mitigate it, or avoid it. Accepting risk means that you get that there is an issue but since nothing can be done you take the risk anyway because the reward outweighs the potential problems. Mitigation means you take as many precautions as possible to eliminate the risk, it’s not fool proof and there will still be breaches but you do your due diligence to protect yourself. Avoidance is a matter of assessing the risk and determining the reward doesn’t outweigh the risks and thus you move away from the risk.

The Ashley Madison hack is hilarious in the irony of the situation because not only was the very business of it a giant risk (cheating on your spouse), but it appears little to no risk assessment was done either from the regulatory controls of PII or the infrastructure for that matter. Step away from the business issues and the lack of security awareness and over to the user side and you see thousands of government employees signed up for the service with their government email addresses. Hello, McFly! What are they thinking how about a little OpSec and the fact that there are free email services all over the interwebs? These people just accepted the risk and pressed on.

Despite all of this stupidity the search for sex led these poor ignorant souls to a poorly managed risk accepting service for what should have been a risk adverse user population. Hopefully now the sexiness of how this could have been avoided can be applied and more companies and users can understand why security and risk management matter so much.

Multi-tenancy means what exactly?

This blog may just turn into a vocabulary lesson for IT people. Today’s word is multi-tenancy.

courtesy of Rob Nolen

Multi-tenancy is part of cloud design that enables shared resources and infrastructure. Those of you, who know me, know that I work for EMC covering the U.S. Federal Gov as a vSpecialist. So I will default to the NIST standard first the term Resource Pooling is used in the NIST Cloud Definition Guidance:

Resource pooling – The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth

Then in the Guidance for Security and Privacy in Public Cloud computing we find this:

Shared Multi-tenant Environment. Public cloud services offered by providers have a serious underlying complication—client organizations typically share components and resources with other consumers that are unknown to them. Rather than using physical separation of resources as a control, cloud computing places greater dependence on logical separation at multiple layers of the application stack [Owa10]. While not unique to cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of cloud computing (e.g., [Bos11]). An attacker could pose as a consumer to exploit vulnerabilities from within the cloud environment, overcome the separation mechanisms, and gain unauthorized access. Access to organizational data and resources could also inadvertently be exposed to other consumers or be blocked from legitimate consumers through a configuration or software error [Opp03]. Threats to network and computing infrastructures continue to increase each year and become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and require a high level of assurance pertaining to the strength of the security mechanisms used for logical separation.

NIST doesn’t completely define multi-tenant models, does it? Nope part of that is due to the fact that the standard is watered down by the industry to ensure they can continue to support customers. No knock on NIST here because it has to be a tough job to create a standard for an entire industry. The way NIST builds the standard is partially through industry input; they look at what is available, what is coming and set definitions and guidelines based off of their insights. Sometimes this leads to solid guidance and clear direction, other times it leads to a loosely coupled series of semi-defined concepts. This is certainly one of those times.

So where do we then turn for guidance? How about the NSA? The NSA defines multi-tenancy thusly:

Multi-Tenancy – Multi-tenancy is the sharing of a common cloud resource that allows the cloud provider to efficiently utilize resources for multiple tenants and can be applied to all three cloud services (IaaS, PaaS, SaaS). Sharing resources, however, could result in residual data or operations being visible or discoverable by another user due to vulnerabilities or insecure configurations. There are varying degrees and definitions of Multi-tenancy among cloud providers and many providers have the option of not sharing resources at an additional cost.

Hahaha ok sorry clearly we need to go outside of the government if we want clear and concise on this topic, terms that the government is not known for. Since I have been beating on Gartner lately let’s see what Forrester has to say about this.

Our definition: Multitenancy defines IT architectures that let multiple customers (tenants) share the same applications and/or compute resources with security, reliability, and consistent performance.

Our research yielded three major findings about multitenant architectures. These are:

  1. Multitenant architectures must strike a balance between sharing and security. To deliver cost savings and scalability, a multitenant architecture must be able to manage dynamic resource consumption by its tenants without violating their security. These two goals ultimately conflict with one another, since shared resources and individual security rarely go hand in hand.

  2. Two common multitenant architecture models have arisen. Dedicated resource models stake boundaries within shared infrastructure, defining the resources a tenant can access, allowing for tangible and secure walls but lower flexibility. Metadata map models chart protected pathways to shared resources, allowing for increased flexibility, but they ultimately may feel less secure.

  3. Despite resource sharing, multitenancy will often improve security. Most current enterprise security models are perimeter-based, making you vulnerable to inside attacks. Multitenant services secure all assets at all times, since those within the main perimeter are all different clients. Leveraging a mix of dedicated resources and metadata map architectures, these services can deliver stronger security.

You know what I can live with this, because at the end of the day it does actually depend.

We will never get everyone to agree to the definition of something life multi-tenant until we reach the utilization stage of solution maturity. Cloud is maturing but it’s not there yet. In the mean time we just need to know that everyone is trying to position their solutions as multi-tenant. If you are reading this odds are you are in a position to advise or make IT decisions so you need to know that words and language have power (I know I have said it before). Understanding that things some products are built for hybrid cloud management like vRealize Automation are only meant for multi-tenant for a single organization (as of today). That public cloud management solutions that logically separate shared resource multi-tenant solutions not without risk. Multi-tenant dedicated resource backends are expensive but they lack the issues found in logical separation from hardware and networking but tend to find front-end issues with portals or the ever present user created security gap.

Education and understanding help to lead you to intelligent and open-eyed decisions, which means you can mitigate, accept, or minimize the risks you take. Multi-tenancy will be defined by the customer so let’s make sure we all define their understanding of the word clearly to assist them in making the best choice possible.

Look out VMworld is a comin!

Excuse my grammar I have been binge watching Hell on Wheels.

With that out of the way, VMworld is right around the corner. With so many great sessions it can be hard to decided what to attend.  I figured I would list but a few that I have am excited for:

STO6548-GD – Group Discussion on Hyper-converged Infrastructure – listen to Jase McCarty and others discuss Hyper-converged. Should be entertaining and informative about how infrastructure is evolving.

MGT5318 – Becoming a vRealize Automagician: Why Automation isn’t Automatic – If for nothing else than the title is awesome, but you also get to listen to Steve Kaplan and Jad El-Zein amongst others talk about vRO and vRA integrations. This should help you get smart.

STO5133 – VMware Virtual SAN + HyTrust DataControl: Delivering Encryption Services for Data at Rest and in Motion – Another Jase McCarty session but this time focusing on VSAN and security. If you are running or thinking about running VSAN in an enterprise environment this needs to be a session you catch.

OPT5069 – Enterprise Hybrid Cloud – Federal Case Study – Ok this one is a little self-serving but this is the session I will be presenting along with Travis Howerton from Oak Ridge National Labs. If you are interested in how IT is evolving in the Federal environment and how hybridity helps to solve real IT problems then come and say hi.

INF5539 – Infrastructure Security Panel Discussion – This is one I normally try and catch looking at virtualization security and how that scales, Mike Foley, Greg Hatch, Steve Kaplan, and Davi Ottenheimer.

Don’t forget to use the Schedule Builder to map out your days, but leave some time for networking and socializing.

Aside from these I am looking forward to some of the evening events like the v0dgeball, the vBrisket party and the VMworld closing party at AT&T park. So say hi, stop by and let’s have a drink together and enjoy the fun and excitement that is VMworld.

swagOh and let me know you read the site and get yourself a VirtuallyMike zipper pull, cause who doesn’t like swag?

 

 

* Update: Here is the official list of VMworld activities and gatherings