"When you give the power to the users, sometimes this can cause a lot of problems." This from Check Point Software Technologies security evangelist Tomer Teller, in a recent interview with ReadWriteWeb. Check Point is the current distributor of the ZoneAlarm firewall for Windows, which set new standards a decade ago for the way it delivered security information in a straightforward way to its users.
This is somewhat of a change of heart for Check Point. It's also an observation in the wake of the rapid transformation of the information landscape. Flanked now by mobile devices poking their way in from inside, and cloud technologies seeping in from outside, enterprises are faced with the situation of employees adding new, unanticipated, and sometimes haphazard components to the network.
"In the Android world, when you download an application, you as a user have the power to decide whether this application has access to certain resources," Teller reminds us. "It gives the user the power to decide yes or no. Users who are not educated will just click 'Yes.' People tend to click, and then think... As soon as you click 'Yes' on an application, and you didn't think about it, you've basically installed malware on your own computer. That happens every day in the Android [Market]."
Again, this from an evangelist whose company sells the program that many believe gave Microsoft the idea for User Account Control - the ultimate "Confirm / Deny" screen. Teller was responding to a demonstration from day 3 of the RSA conference which delivered malware to Android phones, but only after sending an SMS message telling the user to accept an over-the-air update purportedly from Verizon.
The human factor has been playing a greater role in the waves of new attacks discovered during 2011, says Teller. More socially-skewed attack vectors rely on users' willingness to either trust something that says, "Trust me," or confuse them with roadblocks whose easiest exit is the trigger for malware installation. The latest Check Point security management tools, some of which were demonstrated for us, aim to do a better job at avoiding presenting the same kinds of roadblocks for administrators - to educate them rather than giving them something new to exit, cancel, or ignore.
Teller suggests that enterprises use police investigation tactics to avoid being trapped in scenarios like the one that afflicted RSA itself last year. Specifically, re-create the event, and use some clever staging to see whether your own workers would fall for the same gimmicks and booby traps. "Most of the companies say, don't focus on one exploit, because there are going to be many. Look at the technique; look at the pattern of what caused the vulnerability to be triggered." While network analysis and analytics tools may give you a hint as to what could happen, this kind of profiling can only go so far, he points out, toward identifying and nailing the precise culprit.
In the era of the iPad, it's impossible for a network to rely on traditional host-based antivirus. This from Michael Sutton, Vice President of Security Research at Zscaler, one of the earliest cloud-based security services. Unlike Check Point's policy-based approach to security (though by no means a substitute for it), Zscaler's service is a proxy through which Internet traffic is re-routed, monitored, and filtered. What's more, Sutton says, server-centered security appliances are crippled in their ability to monitor traffic from contributing devices like 3G and 4G devices, as well as from virtual desktop platforms.
"Think of Zscaler as a man-in-the-middle," says Sutton (unafraid to invoke a metaphor typically applied to something bad), "the first hop on the way to the Internet. Whereas traditionally your user just goes from the browser to the Web, assuming there's no security in place, there could be ten hops along the way. Now we become that first hop. Rather than pointing your traffic directly to the Web, you're pointing it to a Zscaler node."
There are a number of ways this works. One is through the creation of something called aGRE tunnel from the router, that directs all Web traffic to Zscaler first. In the case of a roaming user outside the office, there may be proxy settings for her laptop. "IOS is a unique beast in that you don't even have that level of control," Sutton admitted, so Zscaler sets up an on-demand IPsec VPN tunnel. This way, the mobile device management system can address traffic routing patterns through profiles pushed to each iPhone or iPad. Whenever communication through the Web takes place, the VPN tunnel is instantly turned on.
"There are actually two added benefits from using a VPN tunnel instead of proxy settings," he admits. "One, you're also getting all traffic from any devices - we're not just dealing with browser traffic. That's really important in a mobile device, because more than 50% of the traffic coming from your smartphone and your tablet is actually coming from apps. Apps are really custom browsers; for the most part, they're sending HTTP, HTTPS traffic. And they can suffer from vulnerabilities just like browser traffic can. Also, the user now has an encrypted channel for all communication, not just SSL sites."
Usually when a user accesses Starbucks' Wi-Fi from her iPad, most of the traffic going between those two points is unencrypted. Zscaler's system, Sutton says, adds the benefit of traffic encryption, making Starbucks via tablet not only viable but, for many, compliant.
"Because of the changing nature of computing power for where data is resident - no longer behind the firewall in a protected environment - this paradigm of bad guys on the outside, safe behind a firewall good guys on the inside, is completely becoming obliterated." This assessment from Michael Denning, who manages the Security Customer Solutions Unit for CA Technologies.
Denning uses the phrase "New World Order" to refer to a realignment of both attack vectors and control points to a single element: identity. "The applications are no longer being run by your trusted insiders. They're being run by SaaS and infrastructure companies; they're residing in somebody else's data center. The applications aren't necessarily being built by you anymore, but instead being shared multi-tenant. So the changing dynamic in the New World Order makes it significantly more important to control the identity."
What's more, suddenly data has become an object of protection in its own right. "It's no longer good enough to say, quarantine a device or an application. The application is becoming the endpoint, and the application is now continuing to explode in growth. But now it's not just resident within your firewall; it's out there in the ether, in the cloud," Denning tells ReadWriteWeb.
He then showed us an example of what CA describes as "fine-grained access control" with respect to individual elements of data. CA's SiteMinder is an identity and access management (IAM) tool for SharePoint sites, which addresses the data people share through SharePoint. In an example of a column being added to a protected Excel spreadsheet, the policies shown here could be used to restrict what types of information can be added to that or any spreadsheet - in order to prevent privacy violations and maintain compliance.
CA's specialty is management tools, so it tends to take a pro-active stance toward security, emphasizing monitoring andoversight as critical elements. Denning warns that social networks are replacing e-mail as the means of enticing individuals to trigger the actions that get malware delivered to their devices. The reason, he says, is because messages coming from a friend in a social network are more often trusted than messages purportedly attributed to that same person in e-mail. "I get a message from my buddy on Facebook, I trust him. I don't know that it's some bot. So from a company perspective, I would much rather be in control of that, and be able to monitor and block that. I agree that you can't fight it entirely. Find a way to improve your security by monitoring and managing that. Yes, we can get to that level of granularity where a) we can control what can be done - like you can read, but you can't post; b) we can scan it all for security threats too, like when you download something through Facebook."
Virtual infrastructure security is the key focal point for HyTrust, which produces both services and security appliances for large-scale, virtualized data centers that include scalable private cloud models. It touts a security lifecycle, which recently had five stages but in its latest incarnation is presented as four, two of which are contributed to by HyTrust.
Eric Chiu, HyTrust's president, tells us his company focuses on the two components that most other players in the market omit. One is access control, the ability for administrators to set rules as to who has access to resources, when, and under what conditions. "HyTrust is an access control and policy enforcement system; we can prevent bad things from happening," explains Chiu. "So we can make sure that your administrators can only view specific functions that they're allowed to, and they can't accidentally misconfigure systems and environments that they're not supposed to." (Though the CA brand is missing from the vendors on HyTrust's chart above, the two companies are partners in this department.)
The other is configuration management. "Changes are happening all the time, and you want to make sure that the environment stays configured to a certain standard," says Chiu, "and that standard stays in place. If it drifts, you can remediate that... Configuration management is monitoring the configuration of your systems. So it detects drift."
Network and endpoint security (formerly separate stages in this model) focus on hardening aspects of the environment that to some degree are simulated by being virtualized, although utilizing hypervisor APIs to access virtualized resources in place of physical resources. "A firewall is a firewall is a firewall. You're just implementing that firewall on a virtual network versus a physical network," the company president tells us. HyTrust adds hardening of the virtualization resources themselves - for example, the hypervisor layer.
Chiu relates the story from last August of a former administrator of a Georgia-based branch of pharmaceutical maker Shionogi, who was able to effectively wipe clean its New York data center's virtual machines and the VMware ESX hosts on which they ran, after he used its unchanged passwords to log in remotely. "It is the equivalent of burning down the servers in the data center," Chiu remarks, "because that company had spent a week recovering the ESX hosts, recovering the storage and networking, and then recovering the VMs from backup, with data loss. And all it took him was three minutes at a McDonald's Wi-Fi in Georgia.
"Your data is housed in this physical building that doesn't have any windows," he continues, "and has card-key access to get in, maybe a guard that signs you in, locked racks... All that's gone, because if you're implementing a virtualized environment, that means that everything is managed remotely in a distributed model, and everything is programmatic. And that guy wasn't even that sophisticated; I can write a script that deletes 5,000 VMs in five minutes. This entire environment now has all of your crown jewels; 50% of your data center is now virtualized."