All Posts in “Security”

IAM quick and dirty

In our first post for VDM30in30 we touched on AWS terminology, today we are going to get into IAM since it is at the root of your AWS management. When you first create an AWS account you will set up the root account. It is imperative you lock this account down, for realzies this is not the account you want to use to do your day to day administration or to hand out to other users. It’s best practice to enable multi-factor authentication (MFA) on the root account there are several MFA options you can use find out more here.

IAM allows you to create users but wait there’s more, it also is the service that manages roles and access policies for users and service accounts. It’s also the spot where you perform your key creation for encryption, and tie in other Identity Providers like Active Directory.  screen-shot-2016-11-02-at-11-15-45-am

Policies set access levels to resources. There are predefined policies, you can use policy generator which allows you to select from a list or you can create your own policy from scratch via JSON.

Roles are assigned to users and used to assume policies. You can audit a role and it’s underlying policy and determine which policies are actually being used, which allows for a security practice of least privilege to be applied.  That’s something we talk about in the world of on-screen-shot-2016-11-02-at-11-16-47-amprem administration that is very rarely followed or implemented easily. Here it is just a click of a tab away and an administrator can see what is actually being accessed and make a determination if that role should be limited even further.


So that’s a quick and dirty on IAM, Roles and Policies. Stay tuned for the next #VDM30in30 post tomorrow. Hopefully this is useful to someone other than just my mind dump.

Shifting The Focus of Our Security Lens – By Brian Tobia

I was at a meeting recently with both the security and virtualization teams in the room and they were having trouble connecting security policies and objects that lived in each of their realms. A colleague of mine refers to this as the Rosetta Stone problem in which the security team is usually speaking a different language than the others. What is seemingly important to one team usually doesn’t resonate with the other. The two then become disconnected and one of the biggest advantages an IT team has, information sharing, can be completely lost.

So I came up with an analogy to try and help bridge the gap. Instead of looking at things in terms of IPS/IDS policy, firewall rules, vApp’s, or vDS’s, let’s think about attributes and behaviors of the one element that all teams share in common: the user. If we look at how, say medical insurance polices, are written, every trait about a person is considered and this is the core of what the policy is made up of and also how much it costs (it always comes down to dollars, right?). What if we did the same thing for security policies? If each group or piece of infrastructure that we are trying to secure could communicate back elements about a user, we could combine these all together so not only would we have a more comprehensive security policy, but we would also be speaking the same language.

In this model, security policies now become much more dynamic and rulesets that are active across devices are much more adaptive. You can move from having an environment-wide VDI policy for internal users to having a virtual machine whose policy and access level changes to fit each user as they login or logoff. This not only closes many of the gaps we have with current “Swiss cheese” firewall or security device policies, but it also locks down many communication paths that are most likely unprotected today to the most restrictive set.

I mentioned information sharing before and this is really where open standards and integration between all the security tools in an environment can play well together. The first advantage here is the ability to enforce consistent policy based on user identity across an entire infrastructure. These can be things like Active Directory Group, geographic location, login history, the nature of the access request, etc. All these ingredients can be combined together into something like a recipe that dictates what the security policy should be. For example, the security policy being enforced if I’m sitting in an office accessing servers in the datacenter or if I am connecting from an airport in a new country that I’ve never traveled to could be very different.

The other big advantage of this user-centric approach to security is the increased information flow between solutions. If you think of all the security controls in your environment as a chain of services instead of individual pieces, information about what actions have been taken or what user identity attributes are present can be passed along this chain. This now allows for a device down the line, say Device C, to make a decision or modify policy based on outcomes that have already been produced by Devices A and B. Not only can each control now be smarter by utilizing this additional information, but now you get a global view and enforcement of security policy that is making smarter decisions.

Now notice I didn’t mention any product names…that was on purpose. We’re still getting there within the ecosystem of solutions. Whether it’s open source tools, open API’s, or just vendors working together for these integrations, I hope that shifting our viewpoint from being more device-centric to the magnifying glass now being focused on the actual user will result in better solution collaboration and a wider adoption of newer security technologies. Additionally, if security teams are less isolated from being left out of the design process and also if their reputations can be a little less tarnished from all this, it wouldn’t hurt either 🙂

Brian has been an IT professional for over 10 years in various customer-facing consultancy and technical roles. He specializes in virtualization, networking, and security technologies and holds various industry certifications such as: VCAP5-DCA/DCD, VCP4/5, VCIX-NV, and CISSP. He has authored multiple courses on networking and security topics and is an active member in the industry communities. Brian was also nominated as a VMware vExpert for the past 4 years for his work within the VMware and partner communities. He currently works as a security and compliance specialist for the NSBU within VMware.

Compliance as a Service

Initially I had hoped that this would be a comparison between VMware’s vRealize Air Compliance (vRAC) and Amazon’s AWS Inspector, unfortunately I wasn’t able to get an in depth meeting with AWS inspector team. So hopefully I will be able to follow this up later with the comparison.

At VMworld 2015 VMware announced vRAC a SaaS service for your cloud compliance. When I first heard about this offering I was excited, because this could mean compliance as a service for any cloud environment you built out which would have some pre-configured packages for HIPPA, FedRamp, PCI, etc.

Obviously I was a little overly wishful, but not to worry because what is there is good enough for a solid start. If like me you thought that vRAC was built on the back of VMware’s Configuration Manager (vCM) we were both wrong. vRAC was built from the ground up as a SaaS offering.

At GA release vRAC will come with networking and security best practices for compliance. PCI and HIPPA will be the first external standards outside of the VMware best practices. vCloud Air has undergone SOC 1, 2, & 3, ISO\IEC 27001, and CSA compliance, additionally use of this product can help organizations meet their compliance requirements by ensuring .

vRAC is not just a vCloud Air offering but can also have a connector deployed as a virtual appliance for an on-prem compliance checker. Currently vCloud Air isn’t considered a tenant for vCloud Air, which means when you build out your vCloud Air tenant environment you need to include a vCenter or extend your network to ensure it is covered by the virtual appliance. The service registers as a vCenter extension service.

There is a 1:1 mapping of the vRAC vApp and a vCenter, but you can do multiple vApps to a SaaS instance. All change streams from the vCenter Orchestrator service are logged and compliance baseline changes are flagged and notifications are sent to the compliance admin. Think of the change stream that is shown at the bottom of your vCenter, showing every snapshot, vm creation along with which user kicked off the task.

If all of this sounds good, maybe I should lay out a couple of limitations. FIrst at GA there is a 40,000 object limit, that includes, VM’s, Hosts, Network instances whatever. At go live there will not be vRA integration, but it is planned and in the works. Federal STIG compliance and OS level compliance are also not planned for day 1. vRealize Operations is also on the roadmap not part of day 1 GA.

vRAC is sold as a subscription service, you manage it via your myVMware subscription services. If this sounds like something for you, you can do an eval and check it out. I found it was easy to install and configure, if not somewhat underwhelming right now or my environment isn’t complex enough, but it’s a good start. Tracking compliance is a difficult and complex task, VMware is trying to make it a little bit easier.

If you are interested in pricing you can find that information here.

Now for you security and compliance nerds out there you should know that vRAC uses OVAL (Open Vulnerability Assessment Language) to integrate solutions and maintain reporting standards. The facilities that house the SaaS service meets industry best practices for physical and network security, some more questions are answered in the official FAQ. To the best of VMware’s ability all data in their care is secured, the network path to the service is a secured VPN connection, and controls are set by the tenant administrator for access.  All monitoring is done in real-time, with actionable data with-in 15 minutes of vApp deployment. The vRAC solution is limited to only VMware environments, but this tool is going to have some legs. Check it out and let me know what you think.