Mohammed Al Mulla - Best practices to secure working environments
Best Practices to Secure Working Environments<br />Mohammed Almulla<br />Kuwait University<br />
Executive Summary<br />Recent changes in computing architecture from dedicated servers in datacenters to virtualization and Cloud Computing suggest that we rethink our IT security methodologies.<br />The focus is on database security, as well as on securing most enterprise applications.<br />
Table of Contents<br />Limitations of existing database security approaches.<br />Security considerations when deploying virtualization.<br />How distributed monitoring best fits virtual and Cloud Computing environments.<br />
Securing Information in Virtualization<br />Many enterprises future plan is to move some applications to Cloud Computing.<br />How does this affect their IT security methodologies?<br />
Recent Requirements<br />Working environments are centered around two major technological requirements: <br />Very High Performance Networks (VHPN)<br />Complex applications.<br />
Market Response<br />To meet these requirements, security companies introduced a range of network appliances. <br />Network Appliances: machines positioned somewhere in the network, to inspect the traffic for either protocol violations, malicious code, viruses malware or spams.<br />
Types of Security Solutions<br /><ul><li>Host-based system</li></ul>Network-based system<br />
Winning the Battle<br />In this era, solutions that depend on host-based software are neglected. <br />Network-based IDS and IPS won the battle against host-based solutions. <br />The concept of simply placing an appliance in a rack and attaching it to a switch is very attractive, especially when resources available for security are limited.<br />
Recent Trend<br />Today, many distributed applications have been leading to the adoption of host-based solutions, in conjunction with network appliances, specially <br /> when the enterprises are concerned with <br /> insider transactions.<br />
Network-based Isn’t Enough<br />The new databases are dynamically appearing in new locations. <br />Question1: Will the network appliance approach be relevant when many transactions will not make it to the network<br />Question2: Is the network monitoring approach efficient when the application network moves from LAN to WAN.<br />
Before & After<br />Previously, databases were not monitored or protected. <br />Now monitoring DBs must cover local and intra-db attacks. Because of database breaches, customers are now investing time and effort in securing their databases.<br />
Today’s Solutions<br />Recently, appliance vendors have added local agents to their solutions, making many of today’s network-based solutions a hybrid of network appliance and host-based solution.<br />
Solution Analysis<br />The hybrid approach is not ideal, but as long as most applications run on the network in plain sight of the appliance, some enterprises were willing to accept the risks.<br />
Disadvantages<br />These hybrid solutions introduce complex implementation requirements such as kernel-level installation of the agent, for example, requiring reboots to the DB server. <br />They still miss the sophisticated attacks generated from within the database itself. <br />They also fail to address several technical challenges when implemented in either a virtual environments, or in the cloud. <br />
Challenge #1 – Visibility Into VM-to-VM Transactions<br /><ul><li>One of the benefits of virtualization is the ability to share resources, resulting in environments where both the application and the databases are migrating to virtual machines. </li></li></ul><li>Challenge #1 – Visibility Into VM-to-VM Transactions<br /><ul><li>The communication from the CRM application to the database storing customer data occurs entirely within the same physical server.
In such a case, there is little or no network traffic as the transactions between the application and the database occur from VM-to-VM within the server.
Network monitoring appliances will not see these transactions.</li></li></ul><li>Solution<br />Bring security inspection closer to its target: This is called “virtual appliance”, where a virtual machine is installed on virtual servers and the servers are re-architected to send traffic through the virtual machine. <br />Warning: This approach has<br /> two severe drawbacks:<br /> -Performance <br /> -Architecture complications.<br />
Challenge #2 – The Dynamic System Environments<br />If virtual security appliances are not ideal solutions for virtual machines, they are even less applicable in cloud-based applications, where networks are dynamic.<br />
Solution<br />The only solution that works in all environments, including Cloud environment is a solution that is based on sensors that run side by side with the database on every machine that hosts one database or more.<br />
Challenge #3 – Performance Over WAN<br /><ul><li>In Cloud Computing deployments, network bandwidth and latency will make off-host processing too inefficient.
Cloud Computing prevents you from co-locating a server close to your databases – you simply won’t know where they are.
This will slow down network performance, and prevents timely interruption of malicious activity.</li></li></ul><li>Solution<br /><ul><li>Implement the necessary protection locally. This will ensure network’s performance.
For Cloud Computing, make sure that the system supports wide area network (WAN) topologies.
To limit exposure of sensitive data, encrypt all traffic between the management console and sensors, and for optimum performance, compression techniques should be implemented so that policy updates and alerts are efficiently transmitted.</li></li></ul><li>Distributed Host-based Solutions The Only Efficient Approach<br />The only way to secure databases on virtual machines or cloud environments, without sacrificing the huge benefits of these new architectures, is using software-based solutions that share the elasticity of virtual machines and Cloud Computing. <br />
The Ultimate Challenge<br />The challenge is to create host-based solutions that do not suffer the same drawbacks that made old host-based solutions irrelevant namely:<br />Intrusive implementations, <br />Performance issues <br />Quickly adapt to new and<br /> volatile environments.<br />
Next-generation Solutions<br />Next generation solutions must be lightweight, easily added to the virtual machine where needed, and installed in parallel to the first database that is installed on a machine. <br />
Promoting Stability<br />Adding a layer of security does not require changes in architecture and does not rely on the virtualization technology in use. <br />
Conclusions<br /><ul><li>Many organizations found themselves drawn towards virtualization and Cloud Computing.
They realized that the complexity of ensuring adequate data security is an obstacle.
But, the movement towards these technologies is inevitable.
There are solutions out there that protect sensitive information as well as provide both effective and efficient data security across dedicated database servers as.</li></li></ul><li>Thank You<br />