Unfortunately, it's not always this obvious when your privileged user accounts or data have been hacked.
New reports from security investigators are estimating that the recent Adobe breach may in fact be the biggest known breach of all time -- with more than 152 million user accounts stolen. Adobe has stated that many of these were fake user accounts or users with invalid passwords, but from a data security perspective, the scope is still concerning. With today's infrastructure, an unprecedented amount of data can exist in one place, making it a virtual treasure trove.
When you look at the cloud, or really, any virtualized infrastructure, you are right to be concerned. Research from Forrester, along with many other surveys, indicates that insiders continue to be the root cause of breaches. Forrester's 2013 data indicates 36% of breaches are from inadvertent misuse of data by insiders, while 25% of breaches are caused by malicious insiders. That's a lot of damage from people whose salaries you pay!
Why are virtualized environments different?
I've written a fair amount about why you need to be careful of data in public clouds, but what about data inside your firewall? Before server virtualization, networks were physically separated -- with designated servers, software and administrators to oversee them. Security meant keeping the bad guys out with a strong perimeter, segmentation internally to separate sensitive or regulated data, and protecting servers with physical methods like locked doors and video cameras.
Over 50% of server workloads are now run in virtual machines, according to IDC's estimates. (VMware sponsored whitepaper). Many of the same security measures still apply: you must maintain firewalls, run and update antivirus, patch applications, and so on. But because virtual machines run on a hypervisor, having access to the virtual infrastructure really gives you the 'master key' to everything in the datacenter. You get a significant concentration of risk, and there is no video camera watching what you're doing.
In the virtual world, administrators don't even need access to the VM. It's easy for them to take a snapshot, copy the snapshot elsewhere and spin up a copy of the VM and/or modify the disk image to inject new users and passwords. Thus, getting access to data is much easier than it was in the physical world.
What should you do?
If you are running a virtualized infrastructure and you value your data (or want to avoid a PR nightmare like Adobe has faced in the last few weeks), here are some tips and best practices that you can follow:
- Know who is doing what: Make sure administrators are authenticated in a way that allows you to track what they are doing. If you are concerned about one person having too much power, use the 'two-man rule' -- where sensitive operations require the approval of a second person.
- Control the environment: In virtualized environments, administrators can do a huge amount of damage intentionally or accidentally. Take the example of Shionogi, a pharmaceutical company who fired an administrator. Months later, in retribution for the firing of a colleague, the admin logged in and deleted all production virtual machines. This simple action killed a multitude of production applications, costing the company $800,000 to remediate, and a week of business downtime to recover. Out of the box management tools are made to give you access, but not necessarily securely. Make sure you have the right tools to prevent these catastrophic impacts.
- Have a system of record: If you face audits from internal or regulatory sources, you need to have an audit-ready log that provides definitive information about both what has happened, as well as unsuccessful attempts to access or change resources.
- Harden your hypervisors: There are best practices and tools available to harden the hypervisor. Make sure they're locked down to prevent tampering.
- Encrypt your virtual machines and their data: You want to be able to prevent someone from copying a VM and spinning it up outside the trusted network. Further, encryption will secure the stored data or copies of the VMs that have been made for backup or disaster recovery.
Armed with this knowledge, you can take greater advantage of virtualization, with fewer risks that your data may end up in the wrong hands.