Proactive with a Personal Touch
I was talking with a friend lately about proactive security. She mentioned a “proactive” practice she employed several years ago as a staff member of the security department of a large local bank when new system administrators were brought on board. The bank’s CISO had identified several security best practices that they wanted all privileged users to follow. The problem was that new system admins were not indoctrinated into these practices as part of their on-boarding process resulting in some cyber mishaps and compliance issues. Being proactive, she set up a process with HR to make sure she was alerted when a new system admin hire was coming on board. Once alerted, she would quickly schedule a time to meet with the new hire and walk through the security practices. She would also leave a template that documented the security practices behind for reference by the new system administrator. Although simple, this proactive security awareness process was effective in keeping system admins in touch with the security practices they needed to follow.
In contrast, I am often amazed at the lack of proactive processes like the one my friend described by many of the government agencies to which I come in contact. I will on occasion read an IG or GAO report on the security state of an agency and invariably there is a statement like “system owners did not fully understand their roles and responsibilities,” or “DAA has not taken role-based training,” or “security awareness training program not implemented,” to name just a few. Come on people! This is basic but important stuff. We need to start treating security as a first class mission element to ever turn the corner on our cybersecurity problems.
I don’t lay the blame entirely on the doorstep of our CISOs, COOs, or agency heads. This lack of proactive security also extends to the majority of vendors who ship products that are not secure by default or design. Also, many security tools are just overly complicated to implement and maintain. We need to adjust the mindsets of developers to one of usability and security as well as function and feature to meet the challenges we face on the cybersecurity front.
Proactive with a Security Touch
Happily, there seems to be some vendors who are starting to get it. One example is Nutanix. Nutanix converges compute, storage, and virtualization into a turnkey hyperconverged solution that is deployed in scale-out clusters. It reduces power and space, and dramatically eliminates storage complexity. It runs VMWare or its own built-in Acropolis (KVM-based) hypervisor to deliver stable, secure computing services. However, what really caught my eye about Nutanix were three things that, in my opinion, distance them from their competitors:
- their commitment to security as part of their software development life cycle
- their support for out-of-the-box security
- their focus on simplification and usability
As reported to me by a Nutanix engineer, the Nutanix software development process is really security led. They have true buy-in to security from the top, so it’s foundational — not the last minute burden or hurdle to get a product out the door. They use security-experienced members in the test / QA processes and all milestones include a security sign-off — the code doesn’t move forward until the security issues are dealt with. They leverage a high degree of automation and an agile model for their dev/test/QA environment, continually assessing the security posture of the product, and they integrate CVE patching for every new baseline release.
Nutanix also follows a secure-by-default approach. They start with the premise – “Don’t expect the customer to know more about our product security than we do,” and try to lift the burden of compliance from the customer. Nutanix applies a hardened appliance model that minimizes the attack surface by removing unneeded components and reduces configuration errors. They also document technical security implementation guidance, written in XCCDF format, to support the Security Content Automation Protocol (SCAP) standard. This standard is supported by many security scanning tools to check for configuration compliance of a platform. Applying this standard offers several benefits including:
- It is machine readable
- It simplifies checking of security posture
- It supports transition to real-time continuous monitoring
- It significantly shortens assessment and authorization processes.
They also ship a Salt utility with their product. Salt is a robust, Python-based, automation and management framework, and offers a simplified way to check and fix a system baseline. It can be configured to run periodic SCAP checks in the background to ensure that the Nutanix platform stays compliant to configuration guidance – that is, the platform self-heals by correcting misconfigurations of security states. That sounds proactive and adaptive to me.
From a simplicity standpoint, hyperconverged systems, by necessity, must implement straightforward and simplified administration capabilities since they converge different silos – storage, compute, virtualization, and sometimes networking. Nutanix is no exception and provides a comprehensive but easy-to-use management platform called Prism. Prism provides “one-click” access for centrally managing all aspects of the platform all the way up to virtual machines. Prism is powered by advanced machine learning technology with built-in heuristics and business intelligence to easily and quickly mine large volumes of system data and generate actionable insights for optimizing all aspects of the infrastructure performance. For example, Prism provides predictive analysis of capacity usage and trends based on application behavior. Insights are enabled through an advisor capability and “what if” analytics. Installation of Nutanix is also simplified, with many organizations standing up clusters in a day or less.
Proactive Orchestration — ABAC
And there may be some better news coming around the bend for those government agencies who must improve their adoption of proactive security practices. The DHS Continuous Diagnostics and Mitigation (CDM) Program is preparing to move into its second phase of cybersecurity services and product roll-outs for government agencies. In this second phase the focus is on process automation and orchestration for the curation of attributes, and the development and automation of policies that are designated for use as part of Attribute-Based Access Control (ABAC) systems. ABAC offers the potential to increase the granularity and overall trustworthiness of an enterprise’s access control system. So instead of assigning a user to a specific role or group and managing access based on simply that one criterion, ABAC systems organize account privileges based on a user’s attributes such as training, certifications, need-to-know, clearance, responsibilities, etc.; as well as device attributes, such as vulnerability or configuration compliance status, location, MAC/IP address, and type of device. If the state of a user’s attribute changes, for example, a critical certification expires or training has not been performed, then the respective ABAC policy can be defined to deny the user access to the account until the attribute is remediated. These characteristics make ABAC and Network Access Control (NAC) systems natural partners at the edge network. ABAC is also granular enough to support separation of duty policies or to enforce data-driven policies, such as being able to access a system but being denied access to any PII data resident on that system; or, deny access to information protected by a Non-Disclosure Agreement (NDA) until the user signs the NDA. These data-driven characteristics make ABAC and Data Loss Prevention (DLP) systems cooperating toolsets for stopping data breaches.
This second phase of the CDM Program should be a boon for tools from companies such as Sailpoint, Cyber Ark, Xceedium (recently acquired by CA Technologies), Varonis, Splunk, and Dell, which incorporate policy engines, process automation, and connectors to ingest and normalize attribute data from authoritative sources, orchestrate workflows for approvals, compare the normalized attribute data to the required ABAC policy conditions, determine entitlements, and monitor accounts. Several of these tools also provide the ABAC policy enforcement capabilities needed at runtime.
Although the use of ABAC systems is intended to cover all users in the enterprise, the initial thrust of the CDM Phase 2 Program roll-out will likely center on privileged users. It is possible that the recent OPM breach, Snowden, etc. may have something to do with this initial focus. Some agencies are not waiting for Phase 2 but already rolling out many of the products I list above as part of the federal Cybersecurity Sprint over the past couple of months, again, with a special focus on privileged users.
So with an ABAC system in place, government agencies will have a proactive system and set of processes and policies to handle that new system admin when they show up for the first time; and, will be able to maintain visibility into re-certifying users as things change. And with platforms like Nutanix, the system admin job will be easier to perform. Overall, government agencies and commercial enterprises that can quickly adapt to these new approaches will achieve benefit in more robust, active cyber defenses. But try to add a personal touch as well — it can go a long way!
Thanks for reading and please share with your connections if you like this article. Let me know what you think about ABAC and hyper-converged systems. How do you maintain a proactive user certification process?