Cloud Security Alliance Guidance Document v2

CSA has released the version 2 of cloud security guidance document. it is available at –  http://www.cloudsecurityalliance.org/csaguide.pdf

it was privilege working with so many of my peers located in different parts of the world. it is actually amazing that so many of us could collaborate and work collectively on this initiative.

Redefine the IT Perimeter – I

this follows my post in 2006 on the question of realizing a secure IT environment without any perimeter. i read about the JERICHO framework for the first time, way back in 2005. i was and still am fascinated by the concept. it made sense and all, but only in theory as i quickly realized the challenges in implementing a total de-perimeterization strategy. it not only involves a change in the mindset of the IT teams (to let go of the LAN) but also posed challenges on the technical front as the solutions are not ready for a 100% JERICHO based network yet. (Of course, JERICHO is more then just removing the LAN)

with the continuous improvement and maturity in technologies like identity management, endpoint security, network admission/access control, the time is ready for large organizations to reap benefits of the a modified approach.

in this post i present my thoughts on implementing a step down version of the de-perimeterization approach for an enterprise which aims to ‘remove the need for a enterprise LAN’.

in my opinion, this approach can be implemented in a phased manner, targetting the mobile users first and then the users with desktops and so on. needless to say, there will still be departments and/or business functions for which this approach will either not be applicable or the management will still like to retain the traditional LAN based models e.g – R&D and design functions.

———————-

today, almost all the enterprises are facing challenges in providing a secure IT environment for business and provide assurance to the management and auditors.

If you take a typical enterprise, one can see IT expenditures in the areas of establishing a governance framework for information security, enterprise wide security policies and user awareness initiatives, infrastructure security components like firewalls, IDS/IPS to secure the perimeter, b2b partner connectivity and other identified perimeters. there has been increased focus on establishing and securing data centers and the systems residing in them.

After having spent money on securing data centers and implementing network security controls, the next target is to secure the endpoints. many IT teams are implementing advanced endpoint security solutions like desktop based IPS, encryption solutions along with traditional anti-virus & personal firewall on the endpoints. with a change in threat landscape, where more and more threats are now targeting endpoints especially mobile users, the endpoint security is the new focus area for many CISO’s.

a point to ponder – if we own the network, why do we need to protect the endpoint and spend top dollars in securing the systems that connect on the network?

well, we need to do so cause we just can’t control what flows through the network in the first place. we have put firewalls, network IDS, IPS, DDOS appliances blah blah.. but still we don’t have the assurance that a system that connects on the network will be secure and hence the need to implement some endpoint security solution to protect it.

with enterprises moving to make most of the applications web enabled, extranets and business partner connectivity, vendors and consultants connecting to the enterprise IT environment, roaming users and work from home culture have all lead to collapse of the traditional castle approach towards securing the enterprise.

so, this brings up another point to ponder – even though we spend top dollars in securing the network by using state of the art network security controls and we still can’t control the kind of traffic that flows through it, why do we want to own it in the first place?

my own laptop has all the endpoint security features enabled when i connect to my corporate LAN as well as when i connect to the internet. so does it mean that the LAN or corporate network is as insecure as Internet???

routers, layer 2 & 3 switches, firewalls, network IDS/IPS, DDOS appliances, QoS, sniffers, network management tools, network security management tools, teams for network & security operations………and then anti virus, personal firewall, host based IPS, DLP, desktop encryption…and still the question remains – are we secure yet?

so, is there any way to bring down the total cost of securing the operating environment for the business?

…… just do away with the hard perimeter and the underlying corporate network, focus resources and effort to protect the data center and endpoints only.

i am not against the networks 😉 (I am, rather was a certified CCNP). But I am just extending the logical reasoning which many CIO and CISO ponder when the network and security teams ask for funds to secure the enterprise.

  1. consolidate the  applications in the data center and implement network & system security controls as we do traditionally along with additional SSL VPN and network admission control at the perimeter from where the users can access the enterprise applications.
  2. have the internet service providers to implement wireless access points in the office premises. the users will then connect to the internet directly even though they are in office premises. ensure that there are adequate endpoint security controls implemented on the endpoints. we are doing it anyway even in the existing scenarios.
  3. let the users connect to the enterprise applications hosted in enterprise data center over the internet. if the application is already SSL enabled, no additional encryption/decryption is required at the gateways. however in case of client server applications, we can use the clientless SSL VPN to secure the data flow between the endpoint and application server for the session.
  4. once the user connects to the data center, the authentication enforcement systems implemented at the gateway check for the authenticity of the user. depending upon the application landscape, a single sign on solution can also be implemented. However, if it is too much of a challenge for the moment, a user can have a separate network login credentials and separate application login credentials as is the case within many enterprises today.
  5. post authentication, the network admission control enforcement systems ensure that the endpoint has the latest OS patches, anti virus updates etc and also conform to the corporate baseline security standards.
  6. incase the endpoint does not conform to the policies enforced by the network admission control elements, the endpoint is allowed access to a quarantined zone where the administrators can then push the latest updates and patches on the user endpoint. once the endpoint is bought back into compliance, the user is allowed access to the applications.
  7. once the user and the endpoint, both are validated, the user is allowed access to the applications to which he has access based on the defined role of the user as reflected in the enterprise directory systems.
  8. the user can perform the necessary activities and then logs off. during the entire session and the time duration for which the user had connected to the data center, the session and user activities are monitored using event monitoring framework in real or as near to real time as possible.
  9. in case there is any hands and feet support required to fix a problem in the desktop, the users can call the helpdesk as they are doing in the current scenario.

this approach also ensures that the users have the near same experience irrespective of the location they are trying to access the enterprise IT from.

now, the users are logged on to the internet even when they are in office in addition to when they login from home over internet or from public wireless hotspots (e.g airport), they have the same look and feel experience when they connect to enterprise applications over the internet.

in my opinion, the security associations also do not change.

for e.g – if an enterprise has not enforced the host based IPS and robust patch management solution on the laptops of mobile users, it has inherently accepted the risk of a security beach due to malicious activity when the user connects to the internet from home or from public wireless hotspot. hence in the proposed framework, the risk of a security breach remains same and does not escalate if the user connects to the internet directly from office also.

the core of this approach is based on the following frameworks – data center security. endpoint security, identity management, network admission control, clientless VPN, security event monitoring.

some of these are described in brief below:-

A. data center security

this subject is not something new to most of us. traditionally organizations have implemented network and system security solution to protect the systems within the enterprise data center.

data center consolidation

  • instead of having islands of server farms within the enterprise each secured by set of network and system security elements.
  • one of the key points in this approach is to remove these islands from the enterprise LAN and consolidate them in specific data centers. this will not only increase the manageability aspect but also focus the effort to secure the data centers instead of individual islands.
  • there can be various approaches to consolidation. it can potentially involve moving from local country specific data centers to limited regional data centers. server virtualization is another area which will contribute significantly to the data center consolidation.

Securing the perimeter of the Data Center

  • the data center architectures should (and usually is) clearly identify the perimeter (hard and soft) and the traditional controls deployed on them to secure the data center.
  • the data center architecture should be designed in such a way to have layers of control which will help resist an attack or malicious activity by having adequate preventive controls.
  • this should be complemented by a detective set of controls and then set of controls that will help contain and recover in case of a malicious incident.

network admission control

  • the network admission control should be deployed to check for configuration & settings compliance after the user has been successfully authenticated.
  • necessary controls should be deployed at the perimeter of the data center which will enforce a compliance check on each endpoint that connects to the data center to access the enterprise applications.
  • the compliance check should check for the following at the minimum – os patches, antivirus updates, ensuring critical services like dlp, encryption etc are running, enterprise baseline policies etc
  • based on the validation of the endpoint, the user should be allowed access to the applications otherwise the endpoint should be placed in a restricted access zone where the administrator can then push the necessary patches etc to bring the endpoint back in compliance.

B. Identity Management

increasingly enterprises are looking forward to streamline the way they are managing the identity of the users in their environment. since there are enough material available on this subject, i am not spending too much time on this.

  • along with managing the identities, managing the access to the enterprise resources based on the role of the user is also hot on the radar for many enterprises.
  • not only these two initiatives can address most of the user identity lifecycle and associated issues but is also very helpful in ensuring compliance by streamlining and effectively management of access control in applications and on IT resources.
  • The user identity is checked the moment the user connects to the data center using secure authentication controls. the complexity of the authentication mechanism will vary from enterprise to enterprise and from vertical to vertical.

C. endpoint strategy

the endpoint strategy consists of implementing the right technology solutions at the endpoints combined with strict control over the configuration standards and policies enforced on them.

implement an endpoint security framework on the endpoints

The framework should consist of the following technologies at the minimum:-

  • anti-virus & personal firewall
  • endpoint encryption
  • Desktop HIPS
  • DLP for endpoints
  • url filtering *

Most of the organizations have already implemented the first two endpoint strategy enforcement technologies. lately more and more organizations are now exploring the desktop level HIPS and DLP technology and solutions to further strengthen their endpoints and ensure continuous data protection. in fact, many solution providers are now bundling these solutions under the umbrella of endpoint security solutions where a single agent at the endpoint has all the functionality listed above.

i also think the anti virus solution from McAfee also allows roaming users to update the anti virus updates from a hosted McAfee website if the user cannot connect to the enterprise EPO server. If this is the case with other solution providers also, we can leverage this feature to ensure the anti virus is always updated irrespective from where the user joins the network.

enforce corporate baseline configuration standards and policies for the endpoints.

ensure each endpoint is configured as per accepted baseline standards and enforce these standards using group policy objects and other controls on the endpoints.

restrict the proliferation of administrative rights for the endpoints.

even if such rights are required, ensure that the end users cannot disable the deployed endpoint solutions without administrator password for these solution (i have seen TrendMicro endpoint security solution which requires a separate password different than the local or domain admin passwords in case anyone wants to disable it)

in the cloud url filtering to restrict the browsing when users are in office

in case there is still a need to enforce a url filtering solution to ensure users at office premises do not access prohibited sites, one can contract with the service provider to provide in the cloud url filtering solution for a range of ip addresses that have been allocated to the enterprise.

D. redefine the concept of local LAN

LAN, as we know today comprises of core and access switches and routers, cables and wiring cabinets, fiber and other media connecting offices to each other. also throw in some complex routing protocols routing traffic from office to the enterprise data centers enabling users to access enterprise applications.

  • it also includes heavy payout from the enterprise IT budget. The payout usually includes amongst other things, the cost of the switches and routers, the annual maintenance and support charges, cost of bandwidths provisioned between offices, cost of complex network management tools and the effort that goes in ensuring the network is ‘up’ and the users can go about their work.
  • I have already discussed in brief why we need endpoint security even though we spend heavily on the LAN and on the network security elements to protect the systems on it.

now, take the LAN out of the picture and ask service providers like BT, Verizon to install DSL based internet connectivity in the building.  with wireless access points in the building, the end users can connect to the internet from anywhere in the office.

One concern that does crop is the issue of the available bandwidth for the users in such a scenario and it is a genuine concern. with most of the enterprise applications becoming web enabled, the bandwidth requirement has considerably gone down. also if you look at the network utilization when a user is on a 100mbps and access email, you will notice that more often than not, the utilization is hardly usually less than 1% .

however there can be issues in case there are time sensitive applications which require real time response.

i still do believe that there is still some time before we have solutions to realize the JERICHO framework in totality. however the approach mentioned above can lead to substantial cost savings by removing the LAN and focusing the resources to secure the endpoints and data centers only.