WHITE PAPER
Today’s Virtual World,
and its Very Real Risks
Understanding the New Security Paradigm
Executive Summary
Today’s data resides in a virtualized world, but the risks are all
too real, and, in many organizations, too frequently realized.
This paper examines the fundamental security implications
of cloud services and virtualization, and it details an approach
organizations can take to safeguard sensitive assets in a way
that is aligned with today’s dynamic environments.
“Increasingly, organizations are looking to the
cloud and virtualization to gain competitive
advantage... Interestingly, these benefits are so
compelling that some executives are keen to
move in this direction, even if they have to pay
more as a result.”
Gargi Mitra Keeling, CISA,
Group Product Manager, Networking and Security, VMware
Introduction
Virtualization has grown increasingly ubiquitous in a relatively brief time span, to the extent where it is estimated that
about two thirds of workloads running on x86 servers are now
virtualized1. In spite of this pervasive usage, the drivers and
purposes of virtualization continue to evolve, however.
Historically, the key driver for virtualization was cost savings,
with organizations focusing on getter higher utilization out
of their existing resources, and particularly reducing costs in
their development environments. As Gargi Mitra Keeling from
VMware pointed out, that is starting to change: “Increasingly,
organizations are looking to the cloud and virtualization to
gain competitive advantage, whether that means becoming
more agile, scaling more quickly, or speeding the delivery of
new offerings,” Keeling stated. “Interestingly, these benefits
are so compelling that some executives are keen to move in
this direction, even if they have to pay more as a result.”
In moving business-critical, production applications to virtual
and cloud environments, organizations need to address
several critical security challenges. This paper looks at the
implications of moving sensitive data and workloads into the
cloud and virtualized environments, and it explores how to
address the new security challenges that arise in
these environments.
“Moving forward, the responsibility will
ultimately always reside with the enterprise,
not the cloud provider. As the Cloud Security
Alliance has stated, ‘You can outsource
[a] business capability or function but you
cannot outsource accountability for
information security.’”
Challenges
In many ways, the new status quo is truly uncharted territory.
IT and security organizations continue to struggle to adapt,
educate staff and users on risks, and establish optimal
security policies and best practices. Adding to the challenge is
that, when leveraging external cloud services, IT and security
teams need to establish clear definitions of responsibilities
and coordinate effectively with cloud providers’ staff. Moving
forward, the responsibility will ultimately always reside with
the enterprise, not the cloud provider. As the Cloud Security
Alliance has stated, “You can outsource [a] business capability
1) ServerWatch, “Taking Stock of the State of the Server Virtualization Market”, Paul Rubens, August 5, 2013,
http://www.serverwatch.com/server-trends/the-state-of-the-server-virtualization-market.html
Today’s Virtual World, and its Very Real Risks - White Paper
1
or function but you cannot outsource accountability for
information security.”2
“Today, hundreds of new virtual instances can
be initiated instantly—and they can also be
taken down just as quickly. Consequently, the
process of setting, applying, and maintaining
security policies has to happen much
more quickly, and becomes much more
challenging.”
Patrick McBride,
VP Marketing, Xceedium
Further, as Patrick McBride, a VP of Marketing with Xceedium
revealed, this new paradigm continues to evolve with
incredible speed. “In the past, new systems needed to be
procured, deployed, tested, and so on, processes that could
take weeks or months,” McBride explained. “Today, hundreds
of new virtual instances can be initiated instantly—and they
can also be taken down just as quickly. Consequently, the
process of setting, applying, and maintaining security policies
has to happen much more quickly, and becomes much more
challenging.”
Quite simply, traditional tools and tactics weren’t designed
to support these new realities. Prior controls and tools need
to be reengineered for today’s highly dynamic environments.
As organizations struggle to work through this transition,
security risks continue to grow more prevalent, and, as
outlined in the next section, these risks can have serious
ramifications for organizations.
High Stakes: The Insecure State of Information
Security
In many of today’s organizations, devastating breaches
and advanced attacks are an increasingly common
part of the landscape. The Verizon 2013 Data Breach
Investigations Report indicated that in 2012 more than 47,000
security incidents occurred and 44 million records were
compromised—and that the full extent of record loss was not
even known in 85% of these breaches3. In other words, this
44 million figure may just be the visible portion of a very big
iceberg.
experienced a breach. Consequently, it’s not surprising that
one in five would not entrust their own personal data to their
own organizations. In spite of this lack of confidence, 95%
continue to implement the same security strategies. Quite
simply, while virtually every thing about how data is managed
is changing, the same security approaches of the past
continue to be employed, and confidence begins to sag.
Implications of Cloud and Virtualization
As organizations continue to more fully leverage cloud
services and virtualization technologies, they have to contend
with several security implications. When migrating to the
cloud and virtualized environments, data can start to reside
in many more locations, with many more copies being
generated.
“Organizations can’t simply try and replicate
the perimeter defenses of the past and expect
them to apply in today’s world.”
Jason Hart
VP, Authentication and Cloud Visionary, Gemalto
Jason Hart, a VP of authentication and cloud visionary with
Gemalto, detailed the key implications of these changes: “In
the past, security organizations did a good job of effectively
building castle walls, a strong perimeter that could separate
internal users and assets from the outside world. Especially
given the migration to the cloud, the security provided by
those walls, and the very notion of internal versus external,
starts disappearing. Data centers may be consolidated,
users are increasingly mobile, workloads and data can be
anywhere.”
Organizations can’t simply try and replicate the perimeter
defenses of the past and expect them to apply in today’s
world. In traditional data centers, security policies were
applied to physical machines. When physical systems are
virtualized, workloads can easily move from hosts running
on machines with stringent security policies to hosts with
permissive security policies. Given the automated operations
of distributed, virtualized environments, sensitive data can
be moved and replicated without the knowledge of IT security
staff. This makes enforcing control at the workload level
critical.
A recent Gemalto survey sheds some further light in this
area. More than 850 security professionals from across
North America and EMEA were polled. The survey revealed
that security professionals are in large part resigned to the
fact that successful breaches will occur. 66% expect to have
a breach in their organizations in the next three years. Only
56% could say definitively that their organization hadn’t
2) Cloud Security Alliance, “The GRC Stack (V2.0): Understanding and applying the CSA GRC stack for payoffs and protection”,
https://cloudsecurityalliance.org/wp.../11/GRC_Stack_PPT_Final.pptx
3) Verizon 2013 Data Breach Investigations Report, pages 4, 11, 46
Today’s Virtual World, and its Very Real Risks - White Paper
2
New Approach Required: Post-breach Security
As they seek to develop effective security approaches and
strategies, all security executives have to contend with a core,
unalterable reality: Resources are limited. Consequently,
executives must always balance security demands and
budgetary realities. As executives look to balance security
mandates and budgetary realities, two schools of thoughts
have emerged:
> Adopt a risk-based approach, building protections around
assets, so if and when the perimeter is breached, those
assets will remain protected.
> Expect breaches will happen and focus on establishing
effective breach detection mechanisms.
on a clear understanding that the perimeter is increasingly
permeable, to the extent it’s even relevant, and prone to
breaches,” Martins explained. “Leaders need to understand
that a breach will occur and begin to formulate a strategy that
brings security controls closer to data, so they can ensure it
remains protected, even in spite of a breach.”
In adopting a risk—based approach, encryption becomes a
fundamental requirement. By encrypting sensitive assets,
organizations aren’t focusing on building walls, they are
focusing on protecting data. There are three key components
that are required to carry out this approach:
> Identity and access control
> Enterprise-scale encryption
> Strong, centralized key management
What are your main concerns or reasons for hesitating
in moving to the cloud?
Compliance
27%
Ownership
22%
Loss of Control
51%
Source: Webcast, “Virtual World with Virtual Risks. Can it be Cloudy
and Clearly Secure?”, May 15, 2013
However, a fundamental flaw exists with this second line of
reasoning. Organizations that take this second approach are
effectively looking to spend money on video surveillance—
without closing and locking the safe. Today, it’s a much more
sound idea to take a risk-based approach to guide strategy.
This entails starting with an understanding of the value
of assets and the risks they’re most exposed to, and then
focusing investments and policies on the protection of assets
based on those factors.
“Leaders need to understand that a breach
will occur and begin to formulate a strategy
that brings security controls closer to data,
so they can ensure it remains protected,
even in spite of a breach.”
Leonor Martins,
Principal Solutions Specialist,
Virtualization & Cloud, Gemalto
As Leonor Martins, a virtualization and cloud solutions
specialist at Gemalto, outlined, in today’s environments,
organizations need to adopt a risk-based approach focused
on achieving post-breach security. “In devising realistic and
effective security policies, it’s important to operate based
Today’s Virtual World, and its Very Real Risks - White Paper
When they incorporate identity management, encryption,
and key management, organizations can establish and retain
control over access to sensitive assets. Consider a healthcare
organization as an example of how this would work. Governed
by the Health Insurance Portability and Accountability Act
(HIPAA), the healthcare provider would face the cost and
brand damage of notifying patients if they experienced a
breach of systems containing protected health information.
By encrypting that information, the health care provider
could ensure that, even if outside attackers compromised
their perimeter and gained access to a repository containing
sensitive information, they still wouldn’t have the means to
decrypt and actually access that data. Consequently, even if
they experienced a perimeter breach, they wouldn’t have to
incur the costly ramifications of notifying patients—because
patient data would remain safe.
Identity and Access Control
In cloud and virtual environments, user identities effectively
become the new perimeter that security teams need to focus
on securing. Following are some key factors to consider in
understanding why this new perimeter is so critical to guard,
as well as insights for implementing sound access control
policies.
Why Access Control is Critical
While it’s always been a vital effort, managing access
control is perhaps more critical than ever. Why? According
to the Verizon 2013 Data Breach Investigations Report,
“it really comes as no surprise that authentication based
attacks (guessing, cracking, or reusing valid credentials)
factored into about four of every five breaches.”1 One of the
key recommendations from the report reads as follows:
“Controlled Use of Administrative Privileges: Identification and
monitoring of administrative accounts, restriction of access
to administrative accounts, and securing administrative
accounts with strong authentication.”2 This effort is critical
1) V
erizon 2013 Data Breach Investigations Report, Page 34
2) V
erizon 2013 Data Breach Investigations Report, Page 57
3
because, even if an organization builds strong protections
around specific assets, if it’s easy for administrators to
misuse their privileged access or for external attackers to
gain access to their credentials, those controls will go for
naught.
Where do you think a data breach may occur?
Insider threat/
disgruntled employees
28%
Phishing attacks
18%
Unapproved
hardware
10%
Weak credentials
36%
Data center/virtual
data center
8%
Source: Webcast, “Virtual World with Virtual Risks. Can it be Cloudy
and Clearly Secure?”, May 15, 2013
Strong access controls are vital to being able to determine
whether the individual logging in is a privileged administrator
or general end user, whether they should have access to an
entire system or a specific subset of elements on a given
system, and so on.
Having multi-factor authentication enables security teams
to understand with acuity who is trying to get access to data.
When encryption is employed, only one piece of the puzzle is
in place. It comes down to access controls to ensure that only
authorized users are able to decrypt a sensitive asset.
Strong authentication is a vital means for correlating
specific actions to specific users, which is important not
just for preventing or mitigating breaches, but also doing
investigations after a breach. If multiple administrators share
a log in, and a breach occurs using those shared credentials,
it may be difficult, if not impossible, to establish accountability
for a given individual. Further, establishing this accountability
is particularly critical if charges need to hold up in a court of
law. To provide the detail necessary, organizations don’t just
need logs, but the power of multi-factor authentication to
specify, for example, who logged in as root administrator at
12:45 pm.
Understanding when and where to use multi-factor
authentication should be a part of a rigorous risk
management assessment, defining the level of risk associated
with a given asset or system, the cost associated with having
that asset stolen or corrupted, and so on. In some cases,
multi-factor authentication may be overkill, however, in other
cases, particularly in the case of privileged administrative
access, this added layer of security is absolutely essential.
Today’s Virtual World, and its Very Real Risks - White Paper
Further, this assessment needs to be done on an ongoing
basis. For example, there was a case of a hack of the Twitter
account of the Associated Press. As a result of the hack,
an unauthorized user was able to post a fraudulent tweet,
claiming the president had been attacked. While this hack
ultimately was uncovered, it wasn’t until the after the report
was released, which had significant implications for stock
markets. While a security executive at the Associated Press
may not have viewed the Twitter account as a critical asset
requiring strong, multi-factor authentication before, that
perception would clearly have been altered after the breach.
Access Control in the Cloud
Strong access controls are critical, and that’s true whether
sensitive assets are hosted internally in a virtualized data
center or in an external cloud environment. However, the
reality is that access to many cloud services is only governed
by static user names and passwords. Increasingly, it will
be incumbent upon organizations to refrain from using any
enterprise cloud solution that doesn’t either provide support
for multi-factor authentication or enable an organization to
use its own multi-factor authentication platform.
Need for Centralization
Initially, organizations often treat access controls for
virtualization and cloud environments as new, distinct
efforts, which Jofre Palau, a group product manager for
authentication solutions at Vodafone, revealed, is problematic
in the long term. “Quite often, when people are moving to the
cloud, they tend to be focused on the specifics of the service,”
Palau explained. “Consequently, a security team may start
to construct specific policies and authentication methods for
each different cloud service, effectively creating multiple silos
of authentication management. Over time, leadership will
come to realize that this siloed approach can create a new set
of problems, which can ultimately negate many of the benefits
of migrating to the cloud in the first place.”
“Over time, leadership will come to realize
that this siloed approach can create a new
set of problems, which can ultimately negate
many of the benefits of migrating to the cloud
in the first place.”
Jofre Palau
Principal Product Manager,
Security, Vodafone
Particularly as the number and scale of these initiatives
expand, security teams will need to step back and realize
they must extend the controls they have in place across all
environments, including physical and virtual systems housed
on premise, private clouds, and public clouds.
4
If you have the option to enable two-factor authentication
for a cloud application, would you use it?
Yes
92%
No
8%
Source: Webcast, “Virtual World with Virtual Risks. Can it be Cloudy
and Clearly Secure?”, May 15, 2013
Enterprise-scale Encryption
There are a range of encryption platforms, approaches, and
products organizations can choose from, and these various
options will ultimately yield very different results, especially
in terms of security. In assessing the merits of various
approaches, it is critical to look at the types of breaches you’re
looking to guard against and focus efforts accordingly.
So where do you focus? The Verizon 2013 Data Breach
Investigations Report stated that “Two-thirds of breaches
involved data stored or ‘at rest’ on assets like databases and
file servers. The other one-third was being processed when
compromised… There were no instances in which data was
compromised in transit.”1
Central key management capabilities enable
the organization to retain control over sensitive
assets, regardless of whether data is located
in physical servers, virtual environments, or
cloud services.
Given this, encryption of data at rest will be of paramount
importance in addressing some of the most common attacks.
Encryption offers a mechanism that enables authorized users
to continue to access the data required, while leaving it in
an encrypted state so those who do not have permissions
can’t gain access. In virtual environments, data doesn’t just
reside in the database, it can also be accessed through virtual
machines. Consequently, organizations should look to encrypt
not just data, but also virtual machines.
Following are some of the areas where encryption can be
implemented today:
> In the data center, security teams can deploy encryption in
databases, applications, mainframes, and storage systems.
> In the cloud, encryption can be done in virtual servers,
applications, and storage.
1) Verizon 2013 Data Breach Investigations Report, Page 47
Today’s Virtual World, and its Very Real Risks - White Paper
Strong, Centralized Key Management
When it comes to key management, various organizations
can be in very different positions with respect to the level of
sophistication and security that have been realized. While
organizations in some industries are well versed in key
management, and have robust deployments in place, in others,
there may only be rudimentary or tactical implementations.
Still other organizations have been reluctant to engage in
encryption at all due to concerns about key management and
the level of investment and effort required.
For those organizations who have either limited encryption
and key management deployments or who have deployed
encryption in an isolated, ad hoc fashion, it important to
underscore the critical nature of managing cryptographic keys
in a centralized fashion. Especially as encryption usage grows,
this centralization is the only way to practically, cost effectively,
and securely manage keys.
It is also important to stress that the degree to which
cryptographic keys are secured will play a great role in the
degree to which encryption ultimately yields the security
benefits desired. Keys need to be stored in secure key vaults,
and teams need to establish a root of trust that serves as the
foundation for sensitive transactions.
Central key management capabilities enable the organization
to retain control over sensitive assets, regardless of whether
data is located in physical servers, virtual environments,
or cloud services. To centrally and effectively manage keys
in virtualized environments, organizations need to address
several critical requirements:
> Availability. When data is encrypted, data availability is
directly aligned with key availability. Consequently, it’s vital
to store keys in a way that delivers maximum performance,
continuous availability, and effective disaster recovery.
> Lifecycle. Within any organization, data generated today
may need to be retained for many decades. Consequently,
robust capabilities for key lifecycle management are
critical. This includes capabilities for key rotation, rekeying,
secure key destruction, auditing, and system recovery.
> Data protection. One of the key benefits of effective, central
key management is the ability to effectively render data
unreadable when needed. In the event of a compromise, an
organization can delete the keys associated with the
compromised systems or data, and by doing so, ensure
unauthorized users will never get the keys required to
decrypt sensitive assets.
Conclusion
Today, sensitive data and critical workloads are running in
virtualized and cloud environments. To effectively safeguard
these sensitive assets, organizations need to move beyond the
perimeter-based security approaches of the past and start
implementing a risk-based approach that is focused on data
and workloads. By adopting this approach, organizations can
ensure that, even if the perimeter’s breached, sensitive assets
will remain secure.
5
Jofre Palau, Principal Product Manager,
Security, Vodafone
With more than 10 years of experience in
telecommunications security, Jofre holds a
degree in telecommunications and several
security certifications, including CISSP, CISA,
CISM, and CEH. Jofre has extensive experience managing
such security projects such as PKI services, application
certification, intrusion detection systems, handset security,
and more. www.vodafone.com
Gargi Mitra Keeling, Group Product Manager,
Networking and Security, VMware
As group product manager, Gargi is focused
on strategy and product planning for the NSX
platform. During her three years at VMware,
she has held various product management
roles with a focus on platform security (ESXi, vCenter) and
application security (vShield solutions). At VMware, she is
working with her extended team to deliver agile network and
security services that are fundamentally better than physical
alternatives. www.vmware.com
Patrick McBride, VP Marketing, Xceedium
A seasoned marketing executive with more
than 20 years of experience in the ITsecurity industry, Patrick leads Xceedium’s
worldwide marketing initiatives. Patrick
joined Xceedium from PMB Consulting,
Inc., a strategic marketing firm focused on helping hightechnology companies define their cloud marketing and
product strategies. Prior to joining PMB, Patrick co-founded
and served as CEO of META Security Group, a security
and compliance software company, which was acquired by
Scalable Software. www.xceedium.com
Leonor Martins, Principal Solutions
Specialist, Virtualization & Cloud, Gemalto
Leonor has over 15 years of experience in
the IT industry, with a broad background in
virtual data centers, virtual desktops, cloud,
and traditional data center environments
and operations. Prior to joining Gemalto, Leonor worked at
Wellesley College as a virtualization architect and IT manager.
www.safenet-inc.com
Jason Hart, VP, Authentication and Cloud
Visionary, Gemalto
Jason Hart is VP Cloud Solutions at Gemalto
where he drives the ‘as a service’ offerings.
Prior to Gemalto, He was the CEO and VP
Sales of Cryptocard, acquired by Gemalto
in March 2012. Jason, a former ethical hacker, has over
seventeen years of experience in the Information Security
industry, and has used his knowledge and expertise to create
technologies that ensure organizations stay one step ahead of
the security game. www.safenet-inc.com
About this Paper
This white paper was developed based on the insights
conveyed at a webinar entitled “Virtual World with Virtual
Risks. Can it be Cloudy and Clearly Secure?” The webinar
featured a lively panel discussion with the industry experts
listed above. To view the event or learn more, visit
https://www.brighttalk.com/webcast/6319/73021.
About Gemalto’s SafeNet Identity and
Data Protection Solutions
Through its acquisition of SafeNet, Gemalto offers one of the
most complete portfolios of enterprise security solutions
in the world, enabling its customers to enjoy industryleading protection of data, digital identities, payments and
transactions – from the edge to the core. Gemalto’s newly
expanded portfolio of SafeNet Identity and Data Protection
solutions enables enterprises across many verticals, including
major financial institutions and governments, to take a datacentric approach to security by utilizing innovative encryption
methods, best-in-class crypto management techniques, and
strong authentication and identity management solutions
to protect what matters, where it matters. Through these
solutions, Gemalto helps organizations achieve compliance
with stringent data privacy regulations and ensure that
sensitive corporate assets, customer information, and digital
transactions are safe from exposure and manipulation in order
to protect customer trust in an increasingly digital world.
Contact Us: For all office locations and contact information, please visit www.safenet-inc.com
Follow Us: data-protection.safenet-inc.com
GEMALTO.COM
Today’s Virtual World, and its Very Real Risks - White Paper
©2015 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-Mar.30.2015 - Design: Jubemo
About the Cloud Summit Panelists
6