Zeven deadly sins

Scareware peddlers have developed a new ruse that relies on mimicking browser warning pages.…

The free HAVP proxy, combined with free virus scanners for Linux, reduces the risk of falling prey to attacks when browsing the internet on a Windows PC. Its installation is anything but rocket science

Keychain cops

A memory stick containing anti-terror training manuals and other sensitive material was reportedly found on a street outside a Manchester police station.…

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet.

Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)

Altering the Economics of Cybersecurity

"Economic incentives currently favor the attackers - attacks are easy, cheap, you can steal billions and your chances of getting caught are slim. If we can increase the cost to the attackers and increase the profitability of good cyber defense we can create a sustainable system..." -- Larry Clinton, Internet Security Alliance President and CEO

McAfee on APTs

"If they don’t know what it is, it’s an APT. While the attacks aren’t new — they have happened in the government world for a long time — the realization of what is going on is new. It can be difficult for an organization to sort out whether it is just a zero-day malware or if the organization is being specifically targeted. In the conventional world, if somebody launches a missile, you can pretty much understand what the intent is and you can attribute it. In the cyber world, if someone launches an attack, you might not be sure who is behind it and you don’t know what the intent is. In the military world, they make a distinction between information gathering and an actual attack..."  -- George Kurtz, worldwide CTO for McAfee

Microsoft on Privacy

"Every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to, and interact with, and is around them, and when they do these things. The contextualization of the web in the world and the connection of the world to the web, mediated by the connections of people to each other, is forming a new Internet which has vast implications of privacy, identity, and innovation; and how we are going to structure our societies and our economies..." -- Marc Davis, Partner Architect at Microsoft Online Services Division

Lynn on National Cyber Strategy

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces; to employ layered protections with a strong core of active defenses; to use military capabilities to support other departments' efforts to secure the networks that run the United States' critical infrastructure; to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe so that its revolutionary innovations can enhance both the United States' national security and its economic security...” -- William Lynn,the US Deputy Secretary of Defense

Cross-posted from Dr. Infosec

Social Networks were the next big thing half a decade back, and to anyone in the field of financial cryptography they were obviously well matched to the money product. Like games, before them. Those travels are reaching their destination now: At a time when the likes of Google and Disney are beefing up in the online amusement business, a Santa Clara-based startup called PlaySpan has landed $18 million in third-round funding with plans to expand its services into Asia and Europe. Vodafone Ventures, based in the United Kingdom, and Japan's Softbank Bodhi Fund led the investment in PlaySpan, a leader in providing services that help publishers of such brands as Neopets, Dungeons and Dragons Online and Lord of the Rings Online make money. PlaySpan says its patent-pending monetization platform is used in more than 1,000 games, social networks and video sites to generate revenue, acquire new users and build customer loyalty. Game devotees may know it for its prepaid Ultimate Game Card, sold at many retailers. The investment adds to a trend of venture capital and corporate dollars flowing into the online gaming sector in recent years, a business that has proliferated with the rapid expansion of Facebook and other social networks. PlaySpan supports the popular "freemium" business model, in which publishers enable users to play for free but charge for premium extras. Earlier this month, Google, facing a growing challenge from Facebook for advertising dollars, acquired Slide for $182 million. In late July, Disney announced plans to purchase Playdom in a deal that could be worth as much as $762 million. PlaySpan counts Disney, Warner Bros. and Nickelodeon among its customers. ... The problem a lot of us saw was the way in; like the games that came before them, and the retail-space ventures before them, and indeed the banks before anyone, the social money groups tended to pay no attention to the outsiders. So the reliable engineering path was out, and the high-risk fast marketing ramp-up path was in. Throw any schlock accounting system in and call it money! Much of the work was quite low quality, and in the retail and microfinance sectors it generally failed in part because of these characteristics. But in the games/social side, slapstick accounting dressed up as money can work. For games and social networks, it was possibly no bad decision to go light on the engineering, as they could afford to dump the lot. It was after all "social value," not real money, right? Which brings us to the somewhat quixotic area of the gaming/gambling market. This is a money that is somewhat in both areas: social and real money, so it is facing both the demand for fast social value as well as the demand for hard monetary engineering. Dave Birch's comment over at Digital Money: I happened to be at a seminar about online payments for gaming and gambling and sat in on a fascinating talk by Jim Noakes, the Head of Payments at Gala Coral Remote Gambling, on the challenges that he is facing at the moment. It was fascinating because his list of challenges could easily serve at the basis of a requirement specification for a next-generation payment system. Setting aside the challenges of compliance, I thought there were two key challenges that we (ie, the payment industry) might be able to help with. The first is reducing the cost of cash in, and the second is reducing the cost of cash out (ie, winnings). The latter is often where the fraudsters attack, particularly when they get payouts directed to stolen cards. And because the online gambling companies are specific targets for the fraudsters, any solutions must have a high level of security built-in from the very beginning. What was it that Santayana said? Those who refuse to study history are doomed to repeat it? We know all this. For my part, I tracked all this in the gold payments era, and how to solve Noakes' challenge is well understood (or at least, many can count on a lot of experience). Nor is this limited information, above, Dave has informed thoughts as well. What I find fascinating is why Santayana's curse runs so deeply in the alternative payments sector, more so than in practically any other place? Is it the flip-side of entrepreneurship, that we must run a grand lottery of knowledge, and anyone can and should play? As David Theroux puts it: Numerous economists have shown that without the freedom to learn, discover, and act, the process of entrepreneurship is stymied, and economic progress is not possible. For example, Nobel Laureate F. A. Hayek stressed that because the details of time and place are uniquely perceived at specific moments by some people and not by others, entrepreneurial discovery is decentralized to individuals in a spontaneous, dynamic process. In The Wealth of Nations, Adam Smith understood that having access to this knowledge of time and place of opportunity leads to entrepreneurial discovery. He discussed how such entrepreneurial discovery is necessary for any firm to survive, and when such a process is ignored or hindered by government edicts, the firm’s methods of production can easily become obsolete and the firm left with mounting losses. Or, is the regulatory monkey so fierce that the curse of innovatory spirit leads to enforced loneliness? Or, is corporate death the punishment for contracting-out, as the costs arising from uncertainty and irresponsibility sky-rocket? Or, maybe it is just that the entrepreneurial hubris runs deeper. For my own part, I recall that I simply declined to review any competitor's payment system from 1996 onwards, as there was no personal ROI in it. Consequently, my designs were occasionally overtaken by some systems, in some areas, but the experience still didn't change my views that spending time improving my own systems was better than spending time on "competitive intelligence". No matter the why, it does seem a fairly convincing principle. The payment system is an internal, business-focussed evolutionary animal. With a nod to Ronald Coase's theory of the firm, it may well be that the future of payments lies within the firm, because we'll be darned if we ever discuss it outside the firm! Just about every innovation in the last decade (including my own) has occurred within this space. The potential for reduction in costs and improvements in Hayekian information flow within the firm are immense, far greater than they are between firms. And also, those that fight against innovation in money and the digital economy are going to find it harder to fight. After all, it's just another schlock accounting system, right?...

I thought this brief question-and-answer session, Richard Clarke: Preparing For A Future Cyberwar by Kim S. Nash extracted the essence of advanced persistent threat problems and how to address them. I'd like to publish the whole article, but instead I'll highlight my favorite sections:

Nash: How can the federal government protect companies?

Clarke: Do more. As a matter of law and policy, the federal government should actively counter industrial espionage.

Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach.

Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations.

Also:

Clarke: Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they're reluctant to do anything special...

Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to policies necessary for protection. Most of the time, all people want the CIO to do is keep the network up and costs down. As a result, many CIOs have been hired for their expertise in those areas, not for expertise in figuring out how to make a resilient network that resists attack.

Finally:

Clarke: It should be the federal government's responsibility to tell companies not only when they've been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on...

[S]ometimes companies don't know they've been hacked. But frequently they realize after the fact. You don't know you've lost information until a knockoff of your product or some competing products start showing up in the marketplace.

I agree with all of these sentiments.

Incidentally I started read the library copy of Cyber War but decided I needed to take notes in the margins. So, I bought a copy from Amazon.com. I plan to finish it and review it by the end of the month.

TweetCopyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Do you have a wireless router? Is it appropriately configured to be secure? Why bother? I've three reasons.

• War Driving - The revelation by Google of its inadvertent collection of publicly broadcasted SSID (the Wi-Fi network name) and MAC addresses (device identifier) while conducting their Street View data collection should serve as a reminder to tighten up our router security. Remember, anyone driving or sitting in proximity to your business, home or office may be within the exploitable footprint of Wi-Fi signal. Once within your router's footprint they too can collect your SSID and MAC addresses, and if your network is not secured, their odds of being able to collect the information traversing from one end of the connection to the next just increase exponentially.
• Liability -- A German court recently fined an owner of a wireless router for not appropriately securing a device and thus allowing the device to be used by a third party to connect to the internet via the router and engage in illegal download activity. The court in Karlsruhe, Germany noted "Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation." The court noted that owner could be fined up to 100 Euros. Regardless of the laws in your area, legal problems are only one of many reasons to ensure your router is secure.
• Mistaken Identity -- As noted in the prior point, a third party used the connectivity provided by the unencumbered access to an individual's router to perpetrate a crime. Think of how crime-solvers walk their data back. They trace the Internet Protocol address. If that IP address ends at your router, then it is not an inappropriate conclusion to assume the perpetrator of the crime is someone within your home/office/business. Think about the physical inconvenience of being taken down to the local precinct to sort things out; the property seizures and recovery prospects and while you will no doubt be able to explain your way out of a situation, as did the owner of the router in Germany - why put yourself in this position?

If you see your neighbor's Wi-Fi in an unsecure state (e.g., open access) let them know. Don't assume the owner configured the device, perhaps it was a more technically savvy neighborhood high school student or a for hire network installer -- who in both cases failed to put a WPA2 password in place.

In Queensland, Australia the police are identifying unprotected Wi-Fi during their routine patrols and notifying their owners in an effort to protect unwary citizens from their own unprotected routers. This is something suitable for neighborhood watch organizations.

Use a strong password (8-14 characters which aren't a word and include non-predictable symbols [ e.g. (B$@iJH91$(~(K ]. If your router is using WEP encryption and not WPA2 then think about upgrading that router of yours.

You may also consider limiting access to your network to MAC addresses you own or know. Don't forget to set up separate guest connectivity to leave a clear audit trail distinguishing between your use and guest users whom you have no control over.

This could be especially important for the small business owner whose network may be used by an unscrupulous individual.

Cross-posted from Christopher Burgess, Huffington Post

 

 

The price of a Tweetbookish Gmail mod

Google has agreed to pay $8.5 million to settle a class action lawsuit claiming it violated the privacy of Gmail users when it released Google Buzz, a Gmail bolt-on that turned the email service into a Tweetbookish social networking tool.…

I’ve long contended that SaaS applications give the ability to build very specific vertical applications that tie together several different functional areas to really meet the needs of a particular class of business.

Cloud applications – with their general adoption of APIs and resulting ease of integration with other apps, make this “quasi suite” approach viable. Intacct today announced an example of this in action.

Intacct, the SaaS accounting vendor, has partnered with Avectra, a company that provides software tools for member-based organizations. The integration sees Avectra’s association management system, a tool to manage member information, contact details and event information, along with Intacct’s accounting functionality.

The aim of this is for member based organizations to have a management tool that gives them end-to-end control within their organization.

Specific benefits that this sort of integration can bring include:

Greater Automation: Having the ability to automate workflows can save time and reduce errors within an organization Increased Productivity: Re keying data makes no sense – integrated systems remove the need for it Automated Billing and Revenue Recognition: Integrating customer-facing systems with he accounting systems help with the cashflow of the organization Real Time Business Visibility: Again integrating the customer facing and account parts of the business allows for meaningful dashboards and information

While the particular details of this integration are likely to only be interesting to people with an involvement in a member-based organization, it is a great example of two distinct applications doing the heavy lifting and producing a highly tailored combined application.

Chris Anderson’s oft-quoted “long tail” theory discussed the niche strategy of selling a large number of unique items in relatively small quantities. Cloud computing is the enabler that will allow vendors to meet the needs of long tail end users, more quickly, more easily, and more successfully than in a disconnected world.

Cross-posted from Diversity

Someone at the UN has a clue about financial transactions [1]. In the UNCITRAL's Convention on Electronic Transactions, there is this (pp2): Article 2. Exclusions 2.1. This Convention does not apply to electronic communications relating to any of the following: (a) contracts concluded for personal, family or household purposes; (b) (i) transactions on a regulated exchange; (ii) foreign exchange transactions; (iii) inter-bank ... systems... ; (iv) the transfer of security rights.... 2.2. This Convention does not apply to bills of exchange [snip, similar] ... or any transferable document or instrument that entitles the bearer or beneficiary to claim the delivery of goods or the payment of a sum of money. The first lot (a) are approximately consumer contracts, which ordinarily attract specific consumer contract protection. The second group (b) and 2.2 are financial transactions that will resonate with all financial cryptographers. Here's what the document observed in the Explanatory note (pp14): 7. ... These transactions have been excluded because the financial service sector is already subject to well-defined regulatory controls and industry standards that address issues relating to electronic commerce in an effective way for the worldwide functioning of that sector. And (pp34): 78. The transactions in paragraph 1(b) relate essentially to certain financial service markets governed by well-defined regulatory and contractual rules that already address issues relating to electronic commerce in a manner that allows for their effective worldwide functioning. Given the inherently cross-border nature of those markets, UNCITRAL considered that this exclusion should not be left for country-based declarations under article 19. So, because these transactions are sufficiently well designed and resolved in the first place, no need for the UNCITRAL to stick its oar in. Another way of putting it is that anyone engaged in those headline activities is big enough and ugly enough to look after themselves. However, UNCITRAL went on to lay out a more rigourous rationale for their exclusion. Firstly (in my order), they observe: ... the Convention does not apply to negotiable instruments or documents of title, in view of the particular difficulty of creating an electronic equivalent of paper-based negotiability, a goal for which special rules would need to be devised. In other words, the UNCITRAL people had not seen how to do this, and they knew it was a hard problem. Proving the asset in qualitative form, as a document in paper or electronic form, was the role of the Ricardian Contract. Its rather odd digitally-signed form was directed at proving equivalence with paper form, something we called the rule of one contract or more shortly, prove the electronic form to the judge! Yes, it's a hard problem. Empirically, only a few times has the Ricardian Contract been copied as a way to cut the gordian knot of digital description of contracts. The problem is as much conceptual as anything, as those expert in technology typically start from an assumption of a database, which unfortunately clashes with the legal foundation of contracts. This fruitless chase down a blind alley is something that neither the lawyers nor the technologists really appreciate until they've spent all their investment. Moreover (pp35): 80. Paragraph 2 of article 2 excludes negotiable instruments and similar documents because the potential consequences of unauthorized duplication of documents of title and negotiable instruments—and generally any transferable instrument that entitles the bearer or beneficiary to claim the delivery of goods or the payment of a sum of money—make it necessary to develop mechanisms to ensure the singularity of those instruments. 81. The issues raised by negotiable instruments and similar documents, in particular the need for ensuring their uniqueness, go beyond simply ensuring the equivalence between paper and electronic forms, which is the main aim of the Electronic Communications Convention and justifies the exclusion provided in paragraph 2 of the article. ... My emphasis. What UNCITRAL refers to as the need to ensure uniqueness and singularity is the quantitative challenge of the payment system, aspects that can be seen in SOX, and also DigiCash's design to do rollovers of blinded coins. Finally, there is this seemingly accidental flash of wisdom: 79. It should be noted that this provision does not contemplate a broad exclusion of financial services per se, but rather specific transactions such as payment systems, negotiable instruments, derivatives, swaps, repurchase agreements, foreign exchange and bond markets. The criterion for the exclusion in paragraph 1(b) is not the type of the asset being traded but the method of settlement used ... Which, indeed gets right to the heart of of the ultimate test. Once we have cracked the equivalence issue, and qualitatively locked down the value in a payment system, what remains is to settle trades. Trading is easy, settlement is hard. With that one simple test, we can identify whether the entire architecture is solid, which for UNCITRAL's purposes, means whether the overall system meets their exclusion. Kudos to the UNCITRAL team for having enough understanding of the financial minefield to know what they were up against, and stepping aside carefully. As they summarise, which I interpret for all three of the key design challenges raised: 81 ... UNCITRAL was of the view that finding a solution for this problem required a combination of legal, technological and business solutions, which had not yet been fully developed and tested. What they see as a known unknown, is also an unknown known :) But it is fair to say that the deployment of financial cryptography that solves the issues they identify is not as widespread as we had hoped. The solutions are known, it will just take a lot longer for them to percolate....

Da pochi giorni il team X-Force dell'IBM ha pubblicato il report relativo ai rischi riconducibili ad aspetti di sicurezza informatica registrati primi sei mesi dell'anno.

Ho scritto qui alcune annotazioni riassuntive (per chi volesse il report è liberamente scaricabile previa registrazione gratuita).

In estrema sintesi, le soprese non mancano ed il problema maggiore che è stato registrato ed enfatizzato è il ritardo con cui i maggiori vendor mondiali rilasciano le loro patch (la scoperta e pubblicazione delle quali è in controtendenza dimostrando una maggiore attenzione da parte della associazioni).

I peggiori 10 vendor ovvero quelli con la maggior percentuale di vulnerabilità generiche non patchate?

Eccoli:

1. Microsoft, 23%
2. Mozilla, 17%
3. Apple, 12%
4. IBM, 9%
5. Sun, 8%
6. Oracle, 6%
6. Cisco, 6%
8. Novell, 5%
9. HP, 4%;
10. Adobe, 3%

Buona lettura: gli spunti di riflessione, gli approfondimenti (come il funzionamento della botnet Zeus), i trend  e le bocciature eccellenti non mancano.

 

________
Taccuino

After my initial post yesterday (How To Wield the New vShield (Edge, App & Endpoint) remarking on the general sessions I sat through on vShield, I thought I’d add some additional color given my hands-on experience in the labs today.

I will reserve more extensive technical analysis of vShield Edge and App (I didn’t get to play with endpoint as there is not a lab for that) once I spend some additional quality-time with the products as they emerge.

Because people always desire for me to pop out of the cake quickly, here you go:

You should walk away from this post understanding that I think the approach holds promise within the scope of what VMware is trying to deliver. I think it can and will offer customers choice and flexibility in their security architecture and I think it addresses some serious segmentation, security and compliance gaps. It is a dramatically impactful set of solutions that is disruptive to the security and networking ecosystem. It should drive some interesting change. The proof, as they say, will be in the vPudding.

Let me first say that from VMware’s perspective I think vShield “2.0″ (which logically represents many technologies and adjusted roadmaps both old and new) is clearly an important and integral part of both vSphere and vCloud Director’s future implementation strategies. It’s clear that VMware took a good, hard look at their security solution strategy and made some important and strategically-differentiated investments in this regard.

All things told, I think it’s a very good strategy for them and ultimately their customers. However, there will be some very interesting side-effects from these new features.

vShield Edge is as disruptive to the networking space (it provides L3+ networking, VPN, DHCP and NAT capabilities at the vDC edge) as it is to the security arena. When coupled with vShield App (and ultimately endpoint) you can expect VMware’s aggressive activity in retooling their offers here to cause further hastened organic development, investment, and consolidation via M&A in the security space as other vendors seek to play and complement the reabsorption of critical security capabilities back into the platform itself.

Now all of the goodness that this renewed security strategy brings also has some warts. I’ll get into some of them as I gain more hands-on experience and get some questions answered, but here’s the Cliff Note version with THREE really important points:

1. The vShield suite is the more refined/retooled/repaired approach toward what VMware promised in delivery three years ago when I wrote about it in 2007 (Opening VMM/HyperVisors to Third Parties via API’s – Goodness or the Apocalypse?) and later in 2008 (VMware’s VMsafe: The Good, the Bad, and the Bubbly…“) and from 2009, lest we forget The Cart Before the Virtual Horse: VMware’s vShield/Zones vs. VMsafe API’s…
   _
   Specifically, as the virtualization platform has matured, so has the Company’s realization that security is something they are going to have to take seriously and productize themselves as depending upon an ecosystem wasn’t working — mostly because doing so meant that the ecosystem had to uproot entire product roadmaps to deliver solutions and it was a game of “supply vs. demand chicken.”
   _
   However, much of this new capability isn’t fully baked yet, especially from the perspective of integration and usability and even feature set capabilities such as IPv6 support. Endpoint is basically the more streamlined application of APIs and libraries for anti-malware offloading so as to relieve a third party ISV from having to write fastpath drivers that sit in the kernel/VMM and disrupt their roadmaps. vShield App is the Zones solution polished to provide inter-VM firewalling capabilities.
   _
   Edge is really the new piece here and represents a new function to represent vDC perimeterized security capabilities.Many of these features are billed — quite openly — as relieving a customer from needing to use/deploy physical networking or security products. In fact, in some cases even virtual networking products such as the Cisco Nexus 1000v are not usable/supportable. This is and example of a reasonably closed, software-driven world of Cloud where the underlying infrastructure below the hypervisor doesn’t matter…until it does.
   _
2. vShield Edge and App are, in the way they are currently configured and managed, very complex and unwieldy and the performance, resiliency and scale described in some of the sessions is yet unproven and in some cases represents serious architectural deficiencies at first blush. There are some nasty single points of failure in the engineering (as described) and it’s unclear how many reference architectures for large enterprise and service provider scale Cloud use have really been thought through given some of these issues.
   _
   As an example, only being able to instantiate a single (but required) vShield App virtual appliance per ESX host brings into focus serious scale, security architecture and resilience issues. Being able to deploy numerous Edge appliances brings into focus manageability and policy sprawl concerns.There are so many knobs and levers leveraged across the stack that it’s going to be very difficult in large environments to reconcile policy spread over the three (I only interacted with two) components and that says nothing about then integrating/interoperating with third party vSwitches, physical switches, virtual and physical security appliances. If you think it was challenging before, you ain’t seen nothin’ yet.
   _
3. The current deployment methodology reignites the battle that started to rage when security teams lost visibility into the security and networking layers and the virtual administrators controlled the infrastructure from the pNIC up. This takes the gap-filler virtual security solutions from small third parties such as Altor which played nicely with vCenter but allowed the security teams to manage policy and blows that model up. Now, security enforcement is a commodity feature delivered via the virtualization platform but requires too complex a set of knowledge and expertise of the underlying virtualization platform to be rendered effective by role-driven security teams.

While I’ll cover items #1 and #2 in a follow-on post, here’s what VMware can do in the short term to remedy what I think is a huges issue going forward with item #3, usability and management.

Specifically, in the same way vCloud Director sits above vCenter and abstracts away much of the “unnecessary internals” to present a simplified service catalog of resources/services to a consumer, VMware needs to provide a dedicated security administrator’s “portal” or management plane which unites the creation, management and deployment of policy from a SECURITY perspective of the various disparate functions offered by vShield App, Edge and Endpoint. [ED: This looks as though this might be what vShield Manager will address. There were no labs covering this and no session I saw gave any details on this offering (UI or API)]

If you expect a security administrator to have the in-depth knowledge of how to administer the entire (complex) virtualization platform in order to manage security, this model will break and cause tremendous friction. A security administrator shouldn’t have access to vCenter directly or even the vCloud Director interfaces.

Since much of the capability for automation and configuration is made available via API, the notion of building a purposed security interface to do so shouldn’t be that big of a deal. Some people might say that VMware should focus on building API capabilities and allow the ecosystem to fill the void with solutions that take advantage of the interfaces. The problem is that this strategy has not produced solutions that have enjoyed traction today and it’s quite clear that VMware is interested in controlling their own destiny in terms of Edge and App while allowing the rest of the world to play with Endpoint.

I’m sure I’m missing things and that given the exposure I’ve had (without any in-depth briefings) there may be material issues associated with where the products are given their early status, but I think it important to get these thoughts out of my head so I can chart their accuracy and it gives me a good reference point to direct the product managers to when they want to scalp me for heresy.

There’s an enormous amount of detail that I want to/can get into. The last time I did that it ended up in a 150 slide presentation I delivered at Black Hat…

Allow me to reiterate what I said in the beginning:

You should walk away from this post understanding that I think the approach holds promised within the scope of what VMware is trying to deliver. I think it can and will offer customers choice and flexibility in their security architecture and I think it addresses some serious segmentation, security and compliance gaps. It is a dramatically impactful set of solutions that is disruptive to the security and networking ecosystem. It should drive some interesting change. The proof, as they say, will be in the vPudding.

…and we all love vPudding.

/Hoff

Related articles by Zemanta

• How To Wield the New vShield (Edge, App & Endpoint) (rationalsurvivability.com)
• VMWare launches six new vCloud products (zdnet.com)
• VMworld: New cloud security emphasis from VMware (v3.co.uk)
• VMware acquires Integrien, TriCipher for IT-as-a-Service Era (zdnet.com)
• Trend Micro Announces Trend Micro(TM) Deep Security 7.5: New Agentless Anti-Malware Module for VMware Environments Provides Unprecedented Security, Manageability and Performance for Dynamic Datacenters (newswire.ca)

Image via CrunchBase

Today at VMworld I spent my day in and out of sessions focused on the security of virtualized and cloud environments.

Many of these security sessions hinged on the release of VMware‘s new and improved suite of vShield product offerings which can be simply summarized by a deceptively simple set of descriptions:

• vShield Edge – Think perimeter firewalling for the virtual datacenter (L3 and above)
• vShield App – Think internal segmentation and zoning (L2)
• vShield Endpoint – Anti-malware service offload

The promised capabilities of these solutions offer quite a well-rounded set of capabilities from a network and security perspective but there are many interesting things to consider as one looks at the melding of the VMsafe API, vShield Zones and the nepotistic relationship enjoyed between the vCloud (nee’ VMware vCloud Director) and vSphere platforms.

There are a series of capabilities emerging which seek to solve many of the constraints associated with multi-tenancy and scale challenges of heavily virtualized enterprise and service provider virtual data center environments.  However, many of the issues associated with those I raised in the Four Horsemen of the Virtualization Security Apocalypse still stand (performance, resilience/scale, management and cost) — especially since many of these features are delivered in the form of a virtual appliance.

Many of the issues I raise above (and asked again today in session) don’t have satisfactory answers which just shows you how immature we still are in our solution portfolios.

I’ll be diving deeper into each of the components as the week proceeds (and more details around vCloud Director are made available,) but one thing is certain — there’s a very interesting amplification of the existing tug-of-war  between the security capabilities/functionality provided by the virtualization/cloud platform providers and the network/security ecosystem trying to find relevance and alignment with them.

There is going to be a wringing out of the last few smaller virtualization/Cloud security players who have not yet been consolidated via M&A or attrition (Altor Networks, Catbird, HyTrust, Reflex, etc) as the three technologies above either further highlight an identified gap or demonstrate irrelevance in the face of capabilities “built-in” (even if you have to pay for them) by VMware themselves.

Further, the uneasy tension between  the classical physical networking vendors and the virtualization/cloud platform providers is going to come to a boil, especially as it comes to configuration management, compliance, and reporting as the differentiators between simple integration at the API level of control and data plane capabilities and things like virtual firewalling (and AV, and overlay VPNs and policy zoning) begins to commoditize.

As I’ve mentioned before, it’s not where the network *is* in a virtualized environment, it’s where it *isn’t* — the definition of where the network starts and stops is getting more and more abstracted.   This in turn drives the same conversation as it relates to security.  How we’re going to define, provision, orchestrate, and govern these virtual data centers concerns me greatly as there are so many touchpoints.

Hopefully this starts to get a little more clear as more and more of the infrastructure (virtual and physical) become manageable via API such that ultimately you won’t care WHAT tool is used to manage networking/security or even HOW other than the fact that policy can be defined consistently and implemented/instantiated via API across all levels transparently, regardless of what’s powering the moving parts.

This goes back to the discussions (video) I had with Simon Crosby on who should own security in virtualized environments and why (blog).

Now all this near term confusion and mess isn’t necessarily a bad thing because it’s going to force further investment, innovation and focus on problem solving that’s simply been stalled in the absence of both technology readiness, customer appetite and compliance alignment.

More later this week. [Ed: You can find the follow-on to this post here "VMware's (New) vShield: The (Almost) Bottom Line]

/Hoff

Related articles by Zemanta

• HyTrust Cloud Control Unveiled to Enable Accelerated Cloud Adoption (eon.businesswire.com)
• Catbird and HyTrust Team to Provide End-to-End Protection and Compliance for Virtual Infrastructure (eon.businesswire.com)
• The Classical DMZ Design Pattern: How To Kill Security In the Cloud (rationalsurvivability.com)
• The Security Hamster Sine Wave Of Pain: Public Cloud & The Return To Host-Based Protection… (rationalsurvivability.com)
• CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity (rationalsurvivability.com)
• The Hypervisor Platform Shuffle: Pushing The Networking & Security Envelope (rationalsurvivability.com)
• Altor V4 – security in virtualized environments and the cloud (zdnet.com)