Brian Anderson

Protecting Virtual Environments from Hypervisor Sabotage

Organizations moving their physical server infrastructure onto virtual platforms for cost savings are finding their virtual hosts and guests are now open to new security and non-compliance risks. Workloads shifted to virtualized platforms to realize operational cost efficiencies are done so at potentially high security costs if proper security policies and tools are not established prior to implementation. As if we didn’t need to state the obvious, virtualization doesn’t make it any less likely that good people will do bad things.

Secure Multi-Tenancy for Private, Public, and Hybrid Clouds

It seems as if every business and IT executive that we talk to lately literally has their “head in the clouds.” Every conversation about current or impending strategies for information assets almost universally contains some mention of a public, private, or hybrid cloud deployment. A more interesting observation of these conversations is that the lure of liberating ourselves from the burden of managing applications and data shouldn’t mean we stop having high expectations about how those applications and data are managed.

Final Thoughts for Least Privilege Best Practices

You’ve invested in information technology and the associated infrastructure, applications, databases, and peripherals to assist your company in becoming competitive, ease administration, and satisfy reporting and compliance mandates. You’ve made decisions on physical servers and desktops.

The Hard and Soft Cost of Apathy

To understand the cost of apathy in relation to breaches and least privilege, we must first understand that how we manage risk impacts human behavior. If we box people in by removing all privileges, they will feel suffocated and likely rebel or withhold. If we give too many privileges, people will either feel scared of screwing up and breaking something, or take full advantage of their privileges and abuse the system. The key is to give them what they need, when they need it, and only then will they will feel safe enough to do their job well.

Servers Are the Primary Target for Insiders and Hackers Alike

There is a significant distinction between the data on desktops described in the last chapter and the data on the server. To use another metaphor: if misusing desktop privilege can get you into the bank, then misusing server privilege is the equivalent of carte-blanche access to the bank vault. Indeed, in a secure and compliant server environment, end users are not entitled to the root password or even superuser status because organizations can no longer tolerate the security risks posed by intentional, accidental, or indirect misuse of privileges. However, organizations need to provide the admins of the plethora of heterogeneous servers across the enterprise with necessary privileges within specified guidelines to do their job safely.

Applications, Databases, and Desktop Data Need Least Privilege, Too

Physical, virtual, and cloud infrastructure exists for only one purpose: to store information assets and run applications that give those assets purpose. Since you’ve kept reading this far, you are now aware of the implications of unmonitored access to this infrastructure, but what about the core reason for buying, implementing and managing all of this in the first place?

Supplementing Group Policy on Windows Desktops

In spite of an increasingly mobile workforce working flexible hours, the image of a “desktop” sitting on a Formica, faux cedar wood bureau, or workstation in a cubicle persists. But as we know full well, a desktop is not a machine required to be in a fixed location anymore. With technology what it is, that term is synonymous for a person (wherever they may be) that has access and is using Microsoft Windows.

Misuse of Privilege Is the New Corporate Landmine

In organizations, it is a sad and harsh reality that trusted individuals are getting away with too many things. For example, at HSBC, a systems administrator named Falcini had unfettered root access. And what did he do with those credentials? He stole thousands of customer files and then tried to sell them to banks and tax authorities. This is becoming an increasing trend, with more and more breaches coming to light each month.

The Only IT Constant Is Change

Best practices in IT corporate security must acknowledge the intersection of technology, processes, and people. Yet, all too often, the focus falls to the technology and processes, while the people part of the equation is overlooked.

Business Executives, Technologists, and Auditors Need Least Privilege

At first glance, one might think that combining least privilege with business executives, IT professionals, and auditors would be impossible given the significant differences in points of view and motivations. Upon closer look, however, this idea makes perfect sense, because it combines security and productivity with rank and privilege.