Here, I want to outline the top security-related  issues and concerns that I discussed with attendees at the conference:

• Interest in securing the next-generation virtualized data center remains high with most of the questions focused on the separation of workloads of different trust levels (e.g. PCI, DMZ, dev/test) in virtualized environments. In most cases, this will involve the use of software-based virtualized security controls. Specific to PCI, one attendee indicated their QSA had accepted PCI and non-PCI related workloads on the same physical host without all workloads being considered in scope (in this case, they used externalized physical firewall-based separation).
• Several attendees asked if I was aware of any publicized incidents of hypervisor breaches. I’m not, but that doesn’t mean that they won’t (or haven’t) happened. The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at this layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.
• I had several questions on optimizing antimalware scanning in a virtualized environment. Trend Micro has been an early innovator here with its integration with VMware’s vShield Endpoint APIs, but there are other options and approaches, each with pros and cons.
• In terms of cloud security, most questions revolved around extending enterprise virtualized data centers to public cloud IaaS providers in hybrid scenarios and how to protect this.
• The second most common cloud security issue discussed was the use of encryption and other approaches to securing data in the cloud. Since cloud isn’t one thing, our approaches to securing data in the cloud will be different at different layers.

It was a great conference with record-setting attendance. It’s clear to me that virtualization, mobilization and cloud computing are transforming the enterprise data center and that information security needs to evolve to support this. Based on the interests from attendees of the conference in information security, I’d say they feel exactly the same way.

Security was front and center of attendee interests. We had a total of 23 security sessions throughout the 4 days. Like US Fall Symposium, I was fully booked with 1-1 sessions where attendees are able to meet and discuss their issues and questions with analysts.

The top issues of our European attendees differed from those at Gartner’s US Fall Symposim. Here’s what was top of mind in Europe:

1) Protecting information. I had a large number of discussions on how to move information security beyond just a “bottoms up” approach to information security. These organization felt they had a good handle on traditional firewalling, IPS and endpoint protection but hadn’t done much for information protection beyond encrypting laptops. In addition to encouraging them to think about information security protection as a process, we also discussed specific technical controls such as database activity monitoring, file activity monitoring and web application firewall/monitoring solutions.

2) Cloud security. Cloud isn’t one thing, security isn’t either, so these discussions varied. Most were focused on how to better secure access to cloud-based services at the Software-as-a -service level. There were some questions on IaaS, but only one on securing PaaS. In that case it was a leading -edge client moving their entire business as a service provider to Microsoft’s Azure platform and we discussed encryption options within Microsoft’s Azure.

3) Hosted Virtual Desktop  (or if you prefer, Virtual Desktop Infrastructure). In these conversations, the interest was driven primarily as a way to provide access to legacy Windows applications while maintaining control of the information. Several conversations were on the pros/cons of VDI as compared to traditional terminal services.There are strengths and weaknesses to each approach. In a separate roundtable on virtualization and security that I moderated, the preference of the attendees of the session was to use full VMs (VDI/HDV) rather than terminal services..

4) Application security This is really a form of #1 above, but focusing on securing the applications that handle the sensitive information. Most had adopted some amount of security testing, but were interested pushing testing further back into software development. There was a significant amount of interest in testing as a service offerings, many of which are quite inexpensive as compared to testing in house. In most of these cases, testing as a service wasn’t replacing what they were doing, just augmenting it.

Overall, the biggest difference I saw in the interests of European attendees from US attendees was the intense interest on specific ways and mechanisms to augment traditional “bottoms up” security mechanisms with a “tops downs” approach to protecting information. Both are needed.

That’s a good sign that information security organizations are understanding that in a world where IT increasingly doesn’t own or control much of the IT stack (end user device, network, server, OS, etc), our focus absolutely must shift up to various ways to protect the information.

In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

We identified PacketMotion as a cool vendor in Gartner in this 2009 research for clients. Essentially, PacketMotion uses standard Intel-based hardware appliances  (as well as a virtualized probe implementation that runs inside of virtualized environments) to deliver full layer 7 decodes of sessions, providing context-aware security monitoring with application and identity awareness.

So why the acquisition?

VMware’s vShield App offering already provides some amount of application-awareness in vShield App that was acquired from its acquisition of BlueLane, PacketMotion’s application decodes will augment this capability. The more important capability is related to delivering identity-awareness. In this recent research note for clients on vShield (“VMware Pushes Further Into the Security Market With Its vShield Offerings”), I identified identity-awareness as a key need for vShield App:

VMware provides only basic application awareness in the first release of vShield App. Richer application, identity and content awareness capabilities are expected in future releases.

Why context? In this research note for clients “The Future of Information Security is Context-Aware and Adaptive”, I stated:

Rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and we are already seeing signs of this transformation. Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the point when a security decision is made.

Adding identity, application and content awareness to information security policy decision making are all examples of the same fundamental shift to make information security context-aware and adaptive.

If you think about it for a bit, most of information security policy enforcement is in the form of software already – it’s just embodied (entombed?) in physical hardware.

Unfortunately, the rigidity of hardware slows down our ability to support rapidly changing computing environments. As data centers are increasingly virtualized, as users become more mobile and as organizations increasingly adopt public cloud-based services, security controls must shed their physical shackles and exist as software-based enforcement points that can be placed when and where needed.

If you are a science fiction fan, it’s kinda like “ascension” – as intelligent species evolved they shed their physical bodies and exist as pure energy – like this example in StarGate (and I’m sure there are many other examples). As described in the StarGate Wiki:

Ascension is a process that allows beings to be able to separate from their physical bodies and to live eternally as pure energy in a superior plane with greater amount of knowledge and power. It can be a mental, spiritual or evolutionary process—a direct result of obtaining a certain level of wisdom and knowledge…

Superior plane? More knowledge? Wisdom? Bring this to information security! OK, so the analogy may be a stretch.

Regardless, the future of information security is a set of context-aware, software-based security policy enforcement points that can be placed when and where needed within a virtualized or cloud-based computing architecture. Depending on the context, there may be a need to embody the control in hardware, at other times as a virtual appliance in my own data center and in other situations as a cloud-based service provided by someone else. Supporting hybrid scenarios will be an absolute requirement.

Even when embodied in hardware, many architectures are shifting to x86 based hardware foundations with proprietary hardware typically only required for encryption offload and even here, the latest Intel chipsets support encryption instruction acceleration.

The core value proposition and differentiation of security vendors will come from their software, not hardware, and their ability to use context to support dynamic computing models with adaptive security policies that can adjust in real-time as users and devices move between on-premises and cloud-based services.

I’ve worked with hundreds of clients on the design and implementation of application control (whitelisting) solutions. The key to a successful application control implementation is *not* have to manually manage the whitelist on an application-by-application basis.

Our goal should be to identify and approve how trust propagates to files on a system and not be forced to approve each file individually – a concept referred to as “trusted change”. For end-user desktop computing, manually managing a whitelist on a file by file basis simply won’t scale. How can we automate the management of the whitelist? Here are some examples:

• If a file/application/update is digitally signed by an application publisher that I trust, then the entire installation is trusted. This is probably the most common example and is the foundation of Microsoft’s improvements with Windows 7 AppLocker over Windows XP’s Software Restriction Policies.
• If a file/application/update is installed by a trusted process (e.g. software distribution agent) on a system, then the entire installation is trusted.
• If a file/application/update is installed by a self-updating application (e.g. iTunes, Chrome, Firefox), then these changes are automatically trusted.
• If a trusted user/group (e.g. IT admin, departmental admin) installs the application, then the entire installation is trusted.

These are just a few of the more common examples out of the 20 or so scenarios that I believe are important. I’ve outlined these for clients evaluating application control solutions in a spreadsheet toolkit with the evaluation categories and suggested weightings.

Bottom line: Controlling whether or not a given file can execute is the easy part. The success of any end-user targeted application control project is in the automated care and feeding of the whitelist. There is simply no way this can be managed on a file by file basis.

At a minimum, clarify whether you are talking about SaaS, PaaS, or IaaS – and whether you are talking about public or private cloud implementations.

2) Assuming Cloud always means Public Cloud

Cloud is a computing style, not a location.

3) Citing Security as the number one issue to the adoption of Cloud without digging deeper.

“Security” is too vague. “Cloud” is too vague. Combined, this statement is pretty much meaningless. See #1 above. Cloud isn’t one thing, so securing the Cloud can’t be one thing either.

4) Equating virtualization to the Cloud

Virtualization is a stepping stone for Cloud, especially in enterprise data centers but is not required for Cloud computing.

5) Assuming Cloud is always less expensive.

In most cases, the driver is speed and agility, or that the cost is OpEx not CapEx. Overall costs are likely to be the same or higher.

6) Assuming that moving to the Cloud gives my application resiliency.

If you have a critical application, the move to the Cloud doesn’t automagically endow your application with resiliency. You have to architect for this. Amazon AWS users found this out the hard way.

7) Referring to traditional hosting as “Cloud”

Many deployments of Microsoft’s BPOS and now Microsoft’s Office 365 use Microsoft’s “dedicated” offering with servers dedicated to the enterprise, but run by Microsoft. Call it what you will, but this is traditional hosting under the Cloud moniker.

We have reached a point where our systems must be considered to have been compromised, even if we don’t have a signature to prove it. All workloads are suspect, even if they appear to be healthy.

How do we protect ourselves in such an environment? There are multiple ways (defense in depth) to counter the threat of APTs; however, one important and radically new approach is to systematically reprovision server OS and application workloads from high-assurance repositories and templates. We call this SWR – short for “systematic workload reprovisioning”.

Rather than having to trust every production server, we can reduce the scope of trust to the high-assurance libraries, models, templates and files that are used to periodically reprovision the servers. This reduces the ability of the hacker to maintain their undetected foothold in our systems.

I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations

For some curmudgeonly information security and operations professionals, this approach will seem radical. “Take down perfectly good (ostensibly) server workloads? Heresy!”

However, there is a precedent in human physiology. The human immune system has a similar challenge with cancer — a situation where the instructions within the body’s own workloads (cells) are compromised and cause damage from within. Much like APTs, cancer isn’t detectable by the human immune system using traditional signature-based (antibodies) and the adaptive immune system (T cell and B cell) mechanisms.

The human immune system uses apoptosis — programmed cell death — as one of its strategies to counter the advanced and persistent threat of cancer (if apoptosis is inhibited, then cells have a greater chance of becoming cancerous). With apoptosis, all workloads (cells) are autonomically regenerated from a high-assurance set of instructions (DNA) located in the nucleus of the cell or another location within the body, such as the bone marrow for blood cells. Similar to an SWR strategy, apoptosis occurs when cells appear to be damaged, as well as when they appear to be healthy.

Why can’t information security take some lessons from the human immune system? We’ve been dealing with advanced threats for millions of years and routinely deal with threats that have bypassed our perimeter protection mechanisms.

Food for thought.

I’ll be talking about SWR next week at Gartner’s Information Security Summit in Washington DC. I hope to see you there.

The trouble with Advanced Persistent Threats is that, by definition, they have evaded our traditional network and endpoint security controls and now reside undetected in our IT Systems. How many advanced intrusions will it take (such as RSA, Lockheed, Google, IMF, …) before you reach the same conclusion that many of us already have:

Your systems have been compromised. You just don’t know it (yet).

To counter APTs, new approaches are needed. Using virtualization of OS and applications as well as taking advantage of resilient web- and cloud-oriented scale out application architectures, we can take a new approach: periodically rebuild and reprovision server and desktop workloads from a high-assurance library of base image files. In short, periodically killing live workloads and restoring them to a high assurance state – even if they appear to be healthy. I call this “systematic workload reprovisioning” – SWR for short.

A SWR strategy reduces the dwell time of an intruder and will appeal to information security professionals looking for new ways to counter advanced intrusions for high-risk workloads,

It sounds straightforward, but embracing SWR requires a radical change in mindset for information security professionals: live workloads are no longer fully trusted. Instead of having to trust thousands of live workloads, our trust model is collapsed to the high-assurance libraries and templates that are used to periodically reprovision the workloads. Thus, SWR has several implications on the ongoing management of workloads that must be considered.

I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations

There is no silver bullet in information security, but SWR will become an accepted strategy and part of a defense-in-depth strategy for dealing with APTs in forward-leaning information security organizations over the next five years.

I’ll be talking about SWR next week at Gartner’s Information Security Summit in Washington DC. I hope to see you there.

The first several years were discussions with clients on how to deploy virtualization securely.

Over the past 2 years, I’ve had an increasing number of calls on the virtualization of security controls such as firewalling/segmentation and intrusion prevention systems.

More recently, there’s been an increase in calls on using virtualization to do things better than we can do today. One great example is the notion of “single instance security”. I originally wrote about using virtualization to radically transform security back in 2008 (in this research note for clients).

Today, there are many offerings coming to market that use virtualization to make the security protection of multiple virtual machines more efficient and effective. One example is Trend Micro’s agentless AV solution (Deep Security) which uses VMware’s vShield Endpoint set of hypervisor-level APIs to offload AV scanning from multiple VMs to a single “security VM” – or, in other words, single instance security. You don’t have to use VMware’s APIs to transform security. Note that McAfee’s MOVE technology and offerings do this in a way that is hypervisor-neutral.

You can imagine the same approach being used for security policy enforcement such as behavioral monitoring, host-based intrusion prevention, application control and data loss prevention.

Single instance security in a virtualized environment provides the best of both worlds: the insight and context of a host-based agent combined with the single instance ease of management of a network-based approach.

These approaches are so powerful that we project that 40% of security controls used within data centers will be virtualized in 2015 up from less than 5% at YE2010.