How to secure your hybrid IT infrastructure
Is your organization launching a hybrid IT project? If so, you might want to take a good long look at the policies and tools you're currently using, as they might be insecure.
Key pieces worth reviewing include identity and how you both assign and monitor privileges, boundaries between systems under your control and those outside your purview, and policies and procedures written with basic assumptions that might not be valid.
Security risks rank as one of the highest concerns for IT administrators when implementing a hybrid IT environment. While old security tools and techniques don't necessarily need to be replaced, they may need augmentation through the use of additional tools to address the new landscape. Identity remains a key component for controlling access to corporate resources, but it must be expanded across all platforms.
Regular backups are one of the best things any organization can do to protect itself from attacks. Backups should be tested on a regular basis to ensure both integrity and validity of the data. Many ransomware attacks have been thwarted with a recent backup of import databases. For mission-critical business data, these backups, or snapshots, should be accomplished at a frequency dictated by the volatility of the data.
Traditional IT security
The world of security is a constantly changing landscape in which an agile approach is required to stay ahead of the threats. According to the chief information security officer at a large healthcare organization who spoke on condition of anonymity, "While we still rely on things like firewalls and VPNs, we do use some of the newer intrusion detection system [IDS] and intrusion protection system [IPS] products for monitoring and alerting."
The key is security in depth. You put a lock on the door (firewall), but you also put an alarm on that same door (IPS) and security cameras throughout the building (IDS), monitored by human beings. The analogy between physical and information security is a bit of a stretch but does bring out the idea of using both tools and people for the best coverage. Automated tools can take you a long way, but having a human in the loop still adds a capability that computer systems can't quite match.
Microsoft's Active Directory (AD) is the authoritative identity source for most, if not all, IT organizations of any size. The challenge is how to leverage that resource in a way that makes sense and addresses any potential issues from both a security and performance perspective. Many tools exist to help with the monitoring and managing of your AD infrastructure.
Both Microsoft and VMware have recently incorporated encryption for their virtual machine disks and the transport used to move or migrate VMs from one host to another. The encrypted disks require a key stored in a repository. The key is provided only once the system connects and authenticates through the use of a certificate. This prevents any attacker with physical access from simply copying a virtual disk.
Conducting a security audit
Looking to shore up your security posture? First take stock of the current condition of the components, starting with administrator privileges and the policies and procedures surrounding the granting and monitoring of admin rights. While this might require new tools, it also implies a need to understand the moving parts and limitations of each. If your company integrates with third-party providers, you must identify any potential risks that require mitigation.
"A number of identity issues must be considered in the hybrid IT scenario," says Edward Haletky, a principal analyst at TVP Strategy who covers cloud, security, and DevOps, among other topics. "First, as an IT organization you still need control of the process, and that becomes the problem. Getting authenticated is not the real issue, but who has access. Role-based access control is limited in many cloud services, with some offering only admin or not—with no in between."
Conducting a comprehensive security audit should be one of the first tasks on your list. This includes evaluating firewall policies and any existing applications that require a firewall rule. You should examine all users and existing privileges to ensure no administrative rights were given to someone that didn't need them. Local administrator rights on servers need to be reviewed to determine if any users or service accounts should be removed.
Ask any IT administrator about the effects of so-called shadow IT on their security and you're bound to get a few horror stories. In today's environment, this extends to unauthorized usage of cloud apps as well. A comprehensive monitoring or logging tool can help identify shadow IT situations and bring them under corporate control. While many of them might be harmless, they can introduce vulnerabilities if left unchecked.
Battening down the hatches
Using existing tools and capabilities smartly is still a good approach. "Our primary method for allowing external vendors access to our network centers around known IP addresses and SAML," says the healthcare CISO. Security Application Markup Language, SAML 2.0, is supported by all the big cloud providers, including Amazon Web Services, Google's cloud services, and Microsoft's Azure.
Microsoft has invested a great deal in the Azure platform and extending AD to support all of its cloud-based services. Azure AD currently handles upwards of 1.3 billion authentications per day. For existing Microsoft customers looking to expand their AD services to the cloud or other sites, Azure AD Connect is a good option. AD Federation Services provides the mechanism to configure a hybrid environment connecting an on-premises infrastructure with a number of complex scenarios.
For systems running the Windows Server operating system, it is possible to lock down many potential security risks using group policy objects (GPOs). Common threat scenarios here include privilege escalation, where an attacker attempts to gain access to sensitive information by gaining increased privileges with compromised credentials. GPOs allow an administrator to disable features like LDAP's Simple Bind, which permits unencrypted passwords.
Microsoft's Advanced Threat Analytics product can detect plain-text passwords passed in an unsecure way using LDAP. This same product will scan for credential exposures through service accounts as well. "We have recently seen a rash of compromised databases based on NoSQL products like MongoDB," says Craig Young, principal security researcher at Tripwire, a company that provides advanced security and compliance tools. "The issue centers around default installations, which are inherently insecure. These systems must be configured to explicitly deny remote access and change any default passwords." Young also recommends a tiered or layered security approach that includes both monitoring and active scanning.
Tools for the job
Gartner defines cloud access security brokers (CASB) as "on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed." A good number of vendors exist in this space. Many deliver software as a service that mediates between corporate applications and cloud services.
Tripwire, for example, offers a security information and event management tool that establishes a baseline of normal activity and then monitors the system for large deviations from that norm. If the activity monitor detects abnormal behavior, it generates an alert to a designated recipient list. Other tools, such as universal threat monitoring appliances, can provide detailed inspection of network traffic to look for malicious behavior.
Encryption is built into many storage systems, as well as operating systems such as Windows Server. Microsoft's BitLocker technology encrypts at the drive level. This covers the data at rest issue and protects against theft of a physical device. At the network level, most companies use some type of virtual private network (VPN) to protect traffic between partners and between corporate assets such as laptops and the internal network. Microsoft has addressed the complexity of VPNs in later versions of its operating system with tools like Direct Access and a feature called Work Folders. Both use certificate-based authentication to connect corporate assets back to internal resources.
Network and application monitoring tools also help with the monitoring and management of networked resources. Several companies sell both single and multifunction monitoring tools that provide reporting and agent-based monitoring to gain insight into local and remote resources. These tools have the ability to monitor both on-premises systems and cloud-based services.
Hybrid IT security has many challenges, some of which require new policies and tools to keep the system safe. It also requires IT staff to learn new methods while maintaining legacy components, many of which will continue to operate as they always have. The key here is to know which pieces to keep and which ones to either remove or augment with something new. Finding vendors you can trust is key and must be a priority for any IT manager.
Hybrid IT and security: Lessons for leaders
- Up-to-date security technologies that extend from the legacy environment are critical.
- Using the public cloud means exposure to the most current threats. Security teams need to keep that firmly in mind and update and prepare accordingly.
- Don't be afraid to use security technologies built into your physical and virtual hosts.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.