Mike D’s Blog

I recently listened to a demo done by a software vendor that was running a cloud based service. One of the questions that came up was around how the end user verifies that their data is safe. It wasn’t the question of being safe from hackers but rather the cloud vendor’s own admins. This started a huge internal debate on the VMware cloud team on how, when, and why you should audit your administrator’s activities.

There are probably several answers to this question and I would be really interested to get some comments on how people look over their admins (or don’t) in their own environments. My personal answer to this is if you don’t trust someone that has all the root passwords and a key card to your physical datacenter then you have much bigger issues at hand versus making sure they aren’t touching people’s data.

Still internal issues do pop up. I remember an incedent when I worked for the Department of Revenue in the state of Georgia many years ago. Turns out some of the people on the security team were running a “credit cleaning” business. For a certain sum they would log in and clean up your credit record since the state holds a lot of power to do so. Of course after several months of this they were escorted out of the building one day by the FBI. But how did these people get caught? It wasn’t anything too high tech. They simply got greedy, put out ads, and one of the ads turned up on the GBI (the state FBI) bulletin board. Funny how things work.

Like I said, there are many software packages on the market to audit everything that anyone does, but doesn’t someone also maintain those software packages? Isn’t it usually the same people that have admin access to other systems like the security team? How do you stop something at the very top?

Needless to say this is something my team will be thinking about and building into the cloud architectures that we build. Just thought I’d bring it up and start a conversation to see what other people think can be done for this issue.

Tags: Cloud, Security

In an effort to expand some of the knowledge on the blog and get some more relevant posts up I’ve reached out to some people internal to VMware who will contribute here from time to time. First up is a good friend, Rob Randell. I hope you find the different views these guests share. This first post from Rob is more of an intro but you’ll find some more great info from Rob coming soon. Take it away, Rob!

Hi everyone, my name is Rob Randell. I’m a Security Specialist at VMware and Mike is giving me the opportunity to use his blog to talk a bit about virtualization security and more specifically the relationship between the virtualization team and the security teams within the customers that I talk to. My role at VMware allows me to talk to both virtualization professionals and security professionals about the security issues surrounding virtualization as well as the best practices that can help mitigate the risks and architect a deployment. The one thing that I have found in common in the most successful deployments is that the virtualization team works closely with the security team during all phases of the implementation. These customers included the security team as part of the architecture team and made sure they were a part of the deployment each step of the way.

Continue reading »

I was reading through one of my more favorite blogs (vinternals) today and it was brought to my attention that Symantec does not support VMotion. I found that a little shocking. No real reason was given for this in the Symantec KB other than intermittent communications. I highly doubt that’s because of VMotion since (a) VMotion doesn’t occur very often and (b) network communication isn’t dropped with a VMotion. And if you’re not going to support VMotion on VMware then where is the lack of support for live migration from the other vendors which operates in the same manner? It sounds to me like someone over at Symantec doesn’t understand what’s going on. Time for some alliances work. In the mean time I agree with the vinternal guy – customers need to push back on Symantec and tell them it’s time to belly up to the virtualization bar and start doing some real troubleshooting of their issues.

(Via vinternals.)

UPDATE (11-20-2008):

Symantec has updated their support policy. Apparently the old link above was a premature KB article that accidently got released. Good to see they do know what’s going on. Here’s the new link.

I was reading through a bunch of past articles and came across one about Microsoft patching a SMB security flaw from 7 years ago. Normally this wouldn’t concern me a lot for a couple of reasons:

1) There’s a lot of security holes that are less critical or never get exploited and so companies take a while to patch them. I’m not saying that’s a good thing – just that it happens.

2) I’m a big believer that people in glass houses shouldn’t throw stones. I work for a software company and as long as your software is running there could be a security issue. That’s just the nature of complex pieces of software. I don’t like to point out other’s vulnerabilities because it will just circle back around to hit me again.

With that said, this one sort of shocked me. A long time ago I used to do security audits for a living while working for a VAR. One of the very first things I’d do is crack out a tool that exploited the SMB issue referred to in the article to grab the SAM and thus a bunch of great passwords (including Domain Admin). It usually took all of about 5 minutes and worked every time. There are dozens of hacker tools out there on the web that include this exploit. This brings up the question of why Microsoft waited this long to fix a hole exploited by the #1 tool in my arsenal.

I haven’t done any audits in the past 6 1/2 years so maybe this little trick just stopped being used. Maybe people didn’t like the fact that you had to be on the network behind the firewall in order to use this attack. At schools and universities this just meant jacking in at the library or something. For corporations I would usually just setup some fake meeting during lunch, miss the person I was meeting with, and wait for them in a conference room – again behind the firewall. The point is you can’t always trust that just because something is behind a firewall that it’s protected so it really shocks me that this vulnerability is just getting patched.

Hoff, if you’re out there and reading, or any other security minded people please let me know what was up with this one.

If you’re ever faced with having to explain that virtualization is or can be secure then Gabe has put together an excellent post for you.

So you have that talk with your security officer again…: “”

(Via Gabe’s Virtual World.)

From time to time I get asked about how compliant VMware is with existing security standards such as HIPAA, SOX, and PCI. I usually talk about the many customers I know who have been through these audits successfully. Now there’s a resource center for the people in charge of maintaining compliance with these standards. The new VMware Compliance Center is now live on the public VMware site. You’ll find a lot of great resources there to help make sure you stay compliant and can pass your tests and audits.