posted

0 Comments

vSphere Platinum ShieldIt’s October so in the US it’s officially National Cybersecurity Awareness Month. As the US CERT website states, “National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.” Their overarching themes of understanding our own digital profiles, securing digital profiles, and maintaining & protecting one’s digital profile have big parallels in enterprise IT and how VMware vSphere helps organizations be secure. Here are our takes on their main points.

If you connect you must protect” is true for personal devices and enterprise IT infrastructure, though in enterprise IT we often also refer to a concept called “defense in depth.” Defense-in-depth is where an organization creates multiple layers of security, including some redundant levels of security, so that if one layer fails the organization still has protections. A great example of this is with networking, where organizations deploy VMware NSX to protect the perimeters around virtual machines, in-guest OS firewall rules to further protect workloads, and VMware AppDefense to protect applications themselves using process and network reputation data and machine learning. VMware NSX can also be used to create VPN connections for users to access secured resources, which is a powerful and flexible capability.

Back up your information” is always important. It isn’t about backups, though – it’s about being able to restore! NCSAM is a great opportunity to proactively practice restoring your virtual machines and data. When would you rather learn that there are holes in your backup strategy – before a problem or during one? What about a disaster recovery situation? If your primary site was completely offline would you have what you need to restore service elsewhere? Thinking about disaster recovery is a big reason that organizations start using VMware Cloud on AWS. It has all the flexibility of the public cloud for on-demand capacity, complete compatibility with vSphere so it’s instantly understandable by a vSphere Admin, and the infrastructure is maintained by Site Reliability Engineers (SREs) at VMware so there is no additional workload on your organization.

Be up to date” is the age-old pressure to patch systems. We all love to hate patching, but it’s the easiest way to resolve security problems. VMware vSphere Update Manager, vMotion, and the Dynamic Resource Scheduler (DRS) make patching a vSphere installation easy, but it does require enough capacity in the cluster to be able to move workloads around. If you don’t have capacity all the new CPU releases this fall from AMD and Intel make it a good time to have a discussion about adding capacity and refreshing hardware (the new CPUs resolve CPU vulnerabilities, too). Remember to enable Enhanced vMotion Compatibility when you build a new cluster!

Keep it locked” in the context of NCSAM means that you should make sure your devices have automatic logouts and screen locks set. For enterprise IT it might be a good time to review the physical protections on your infrastructure, maybe even change the locks on the doors, add a camera or two, and make sure any RFID card systems don’t give unauthorized people access. People with physical access can cause a lot of problems for an organization, both from an availability perspective as well as being able to steal devices with sensitive data on them. VMware can help mitigate these risks with vSphere VM Encryption and vSAN Encryption, so if someone steals a server or a storage device they will have a tough time recovering useful data from it.

Double your login protection” means multi-factor authentication (MFA) in both the consumer and the enterprise settings. What do we mean by multiple factors? Factors are generally described as something you know (a password or a PIN), something you have (a key, an RFID card, or a one-time password token on your phone), or something you are (your eyeball or fingerprint). Unlike the recommendations from the NCSAM web site, though, text messages (SMS) are considered very weak. It has been shown, repeatedly, that it is very easy for a bad actor to convince the phone company that they are you. SMS is better than nothing, but in an enterprise setting or for people with considerable assets it is not an acceptable risk.

If you do enable MFA one question to ask is how you will recover your account if you lose the device with the token/rotating code on it. For example, many users of the popular Google Authenticator app on phones have been shocked to discover that, for non-Google services, there is no way to back up or transfer the token information between devices, so they are locked out of their accounts – sometimes permanently — if their device is lost or stolen. Other applications, like Authy, have solutions for this.

VMware vSphere already supports some common MFA types, like smart cards, RSA SecureID, and authorization systems that connect via Active Directory and LDAP, and if you are attending VMworld Barcelona consider attending HBI1688BE and HBI1953BE where future authentication directions will be discussed.

Play hard to get with strangers” and “Think before you act” refer to phishing, which is the act of sending malware or malicious links to users. In short, everybody needs to stop clicking on links in email and text messages, and especially ones in messages that seem urgent. This also means people should stop sending links, too! From an enterprise IT perspective, we need to plan for users to be infected with malware at some point. Ransomware is the biggest concern, because it will slowly and patiently encrypt files a user has access to, and because it’s slow that means that backups of those files are often useless, too. Does your backup mechanism detect ransomware? The trend is to have backups online, but those online backups can then be corrupted by ransomware (or outright deleted by a rogue admin). An “air gap” or an offline copy can come in handy, especially if you are keeping them for a long time. The security concept of “least privilege” applies here as well. Do your users have permissions to lots of things, or only the things they need to do just their jobs? The more access they have the more damage they can do, intentionally or unintentionally.

Protect your personal information” is important, too. The more an attacker can find out about you the more they can impersonate you to others. Make sure your social media profiles don’t list your birthday, address, or phone number. From an enterprise perspective, this also extends to people sharing information like photos of a data center, photos of keys, and photos of employee badges. There are applications & services that let people duplicate keys from photos, and a photo of a badge makes it very easy for someone to impersonate an employee.

Encourage people to never answer security questions truthfully. The answer to “What is your mother’s maiden name?” is easily discovered online. It’s also probable that an attacker could figure out what your dog’s name is, or what kind of car you drive. One way to handle these questions is to use a service like dinopass.com to create random answers which you then store in your password manager (you and your users are using a password manager, right?). Yes indeed, my mother’s maiden name was “lazyparrot97.”

The “How can you minimize risk?” section in the NCSAM e-commerce & skimming PDF has good suggestions in it, too. “Implement code integrity checks” can be done easily in vSphere by purchasing servers with Trusted Platform Modules (about $40 per server) and enabling them along with UEFI Secure Boot. This will ensure that your infrastructure, when it boots, is running trusted software from VMware. If & when you are building new vSphere clusters, or upgrading, please turn these features on. Likewise, vSphere supports features like Secure Boot, vTPM, and Microsoft Device Guard & Credential Guard (Virtualization-Based Security), so your guest OSes and workloads can be secured, too.

Ensure you are PCI DSS compliant” might not apply to everyone, but compliance standards are full of great advice. Even if you don’t have to be compliant it is worth reading through to see where your gaps might be. The vSphere Security Configuration Guide is a terrific resource for securing and auditing virtual infrastructure.

Monitor and analyze web logs” is good advice, too. Most organizations should be sending all their device logs out to a separate log collection service, so that if & when something happens the logs are held separately and can be analyzed if the original system is down or corrupted. VMware vRealize Log Insight is a great choice for this, easy to set up and powerful to use.

In conclusion, cybersecurity is a massive topic, and there’s always something to be done to improve. If nothing else, National Cybersecurity Awareness Month is a good excuse to look around and make a to-do list of things to fix or update. If nothing else, making sure that your organization has an updated inventory of assets and that each of those assets is patched is a huge step forward.

Feel free to leave comments, and if you would like assistance with security or compliance, or would love to know more about the advanced security with AppDefense, NSX, or the vRealize Suite in your environments contact your Technical Account Manager, Account Executive, or VMware Global Support Services. As always, thank you for being our customer!

 

Take our vSphere 6.7 Hands-On Lab here, and our vSphere 6.7 Lightning Hands-On Lab here!

 

About the Author

Bob Plankers

Bob Plankers works in the Cloud Platforms group at VMware, focusing on all forms of vSphere security. Prior to joining VMware he spent more than two decades leading cross-organizational teams that designed, built, and operated reliable, secure, and compliance-oriented IT infrastructures. He can be found at blogs.vmware.com, bob.plankers.com, lonesysadmin.net, and @plankers on Twitter.