Privileged Access in the Virtualized Data Center: How to Reduce Security Risks and Ensure Business Resiliency
No single solution can prevent all security risks in a virtualized data center, but automation can help.
by Shlomi Dinoor
According to Gartner's 2010 survey of CIO priorities, a significant shift in enterprise spending and business priorities is underway. The survey found that CIOs are finally moving toward dedicating budgets to technologies that add strategic value to the enterprise -- not just for achieving "low-hanging" cost-cutting goals. Gartner reported that CIOs' greatest technology priority is virtualization, with business process improvement as a top business goal. The challenge now becomes turning these priorities into reality.
Let's examine data centers specifically, which are poised to become one of the most significant growth areas for virtualization. In fact, President Obama's recently-released 2011 budget proposal that calls for flattened federal IT spending has the potential to fuel the adoption of technologies such as virtualization to drive greater data center consolidation and centralization. Therefore, it's reasonable to expect many state agencies to follow the federal lead, along with likely spill-over to the private sector.
However, despite its many benefits, increased adoption of virtualization does lead to additional risks to an enterprise, especially in terms of IT security. Here's the proof. Survey data from Gartner conferences in late 2009 indicated that about 40 percent of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages. Consider the challenges this disconnect places on IT administrators, especially those responsible for managing uber-powerful privileged identities, applications and data. In a virtual environment there is a multiplier effect. Administrators are no longer just focusing on vulnerabilities presented by one system and one application; they are responsible for almost limitless applications and data.
Because virtualization represents a major shift in infrastructure, it has introduced a new type of administrator -- the "Super Admin" -- whose responsibility is not limited to a certain piece of the infrastructure (server, database, or network) as with traditional (physical) infrastructure. Instead, the Super Admin is responsible for all infrastructure, applications, and data running in the virtual environment. In many cases, this admin doesn't have adequate experience with some of these systems. Previously, a typical admin would have mastered servers or the network or storage. Now the admin is responsible for it all. In addition to risks associated with the admin's excessive rights, there are new risks derived from the lack of expertise. It extends the internal threat -- to malicious or negligent actions as well as to misconfigurations and other potential problems.
As we delve deeper into IT security and privilege in the virtualized data center, we must understand how the definition of privilege is evolving. We are no longer just talking about controlling database administrators with virtually limitless access to sensitive data and systems; we are talking about processes and operations that can be considered privileged based on the data someone is accessing, the database being entered, or the actions being taken as a result of the data.
Until recently, the concept of "privilege" was defined by the risk of the data being accessed. Today, CIOs are increasingly interested not only in risks that privileged identities, processes, and data present from a security perspective, as well as from a business sustainability and continuity perspective. This is an important distinction to make.
For instance, even if a breach doesn't occur as the result of unauthorized access, if a critical system goes down, it has the potential to impact workers' ability to do their jobs (such as make financial trades and process payments). Consider this example we recently heard from the field. An administrator was responsible for database cleanup. Because of the excessive rights he had been granted, he (mistakenly) cleaned data critical for one of his company's core business applications. This caused the system to go down immediately, affecting the company's bottom line because every minute that application was down, money was being lost.
Ultimately, in cases like this, a company's brand and relationships with key business partners are at risk. Therefore, the data center manager and his CIO aren't just concerned about an employee snooping for a peek at highly-sensitive data. Since enterprises can lose hundreds of thousands of dollars for every minute a system is down, managing and monitoring that access takes on greater importance to the overall business.
Keeping Tabs on Privilege in the Data Center: Moving Beyond Identities
Most data centers are complex IT environments, making it exceedingly difficult for one group to monitor and actively manage the high-value systems, applications, data, and associated identities.
Data centers can contain hundreds or thousands of servers, databases, and network devices (among other components), all controlled and managed by a variety of privileged and shared identities -- also known as break-glass, emergency, or fire IDs -- that are the most powerful in any organization. This includes the Root account on UNIX/Linux, Administrator in Windows, Cisco Enable, Oracle system/sys, MSSQL SA, and many more.
These identities are often neglected, monitoring their session activities is difficult, and passwords are rarely changed. In some cases, these identities are required by the internal IT personnel as well as external, third-party vendors and, thus, require extra care through the creation of secure remote access and secure session initiation. Powerful privileged passwords can also be hard coded inside applications, scripts, and parameter files, and because application passwords are also rarely changed, it leaves them highly vulnerable to malicious use as well.
Mismanagement of privileged identities exponentially increases the risk of insider threats. In many organizations, the same root or administrator password is used across the organization, making it relatively easy for a disgruntled employee to steal information or abruptly take down core systems. However, even if traditional tools are used to monitor shared account usage, it's difficult to know who actually performed the activity. There must be a system in place that can uniquely identify who is using these accounts and monitor and audit their activities. In addition, when admins try to elevate permissions on their own personal accounts for specific actions, the company should employ similar controls associated with workflow, authentication, authorization, audit, policies, and more.
Another risk is that privileged accounts usually have unlimited access to back-end systems. Compromising such accounts may lead to uncontrolled access, bypassing the normal system operation. That access could result in the manipulation of billing records and loss of money as well as create massive audit risks.
Beyond identities, "privilege" now extends to critical processes and operations. Consider common yet high-risk, day-to-day data center activities such as applying a security patch to servers. Depending on its type, a server can contain both access to sensitive data and business-critical infrastructure, creating security and business risks.
Consider also the job of archiving old files on a file server. A file system stores sensitive data, so access must be controlled to prevent data from being leaked or compromised (which could expose the organization to broader governance, risk, and compliance issues).
Finally, consider maintenance work on a database with a customer's credit card information, which raises an access-control issue. If sensitive data is leaked or compromised, it puts customers' identities at risk and could irreparably impact that organization's brand image and reputation.
Other activities -- such as provisioning a new virtual desktop for a new user and updating a VM template based on business requirements -- create access control concerns. Accessing a Web server to manage a critical business application or granting employee access to a CRM system create additional business risks by potentially exposing highly secure infrastructure and highly-sensitive data.
The Role of Automation
To better secure data center identities, processes, and operations, organizations must be able to automate the detection process of privileged accounts, including service accounts and scheduled tasks, wherever they are used across the data center and remote networks. This auto-detection capability significantly reduces ongoing administration overhead by proactively adding in new devices and systems as they are commissioned, and it further ensures that any privileged password changes are propagated wherever the account is used. It also increases stability and eliminates risks of process and application failures from password synchronization mismatches.
Another benefit of automation is that organizations are assured that password refreshes are made at regular intervals and in line with the organization's IT and security policies. Having an automated system in place allows the company to have a streamlined mechanism for disabling these privileged accounts immediately, thus lessening the impact on business operations.
From a compliance standpoint, regulations such as Sarbanes-Oxley, PCI, and Basel II require organizations to provide accountability about who or what accessed privileged information, what was done, and whether passwords are protected and updated according to policy. Without the necessary systems in place to automatically track and report that access, compliance becomes a daunting, time-consuming, and often expensive process, especially in terms of employees' time and potential fines.
To be clear, the automation of data centers is inevitable -- not just of security controls but of all data center operations. Manual controls and processes will not allow the data center to scale up (or down) as required by the business. This will drive many of the operations to be automatic (policy-based) rather than performed manually by administrators.
Although no single solution can prevent every breach or threat to business resiliency caused by IT security risks inherent to virtualized data centers, organizations can prepare by implementing proven processes and technologies to automate adherence to security policies that are in place across the entire enterprise. In doing so, enterprises can protect against breaches and meet audit requirements and mitigate productivity and business losses.
Shlomi Dinoor is vice president of emerging technologies at Cyber-Ark and heads Cyber-Ark Labs. Dinoor is focused on new technologies that help customers prepare for "what's next" in terms of emerging insider threats, data breach vulnerabilities and audit requirements, while supporting new business models such as the secure delivery of cloud-based applications and services.