Citing the need to protect data from internal threats as well as external threats, HyTrust has announced a limited initial rollout of a new feature that sniffs for disconnects between cloud administration activities and the roles of the people who execute those activities.
"We need to shift our thinking from an outside-in approach to an inside-out cloud security approach, especially when so much is at stake and we are dealing with infrastructure that has much greater risk," said Eric Chiu, president and founder of HyTrust, a Mountain View, Calif.-based security, compliance and governance vendor. "An often overlooked danger comes from the insider who has access to everything, as well as the threat of people posing as insiders. These are people who hijack the credentials of top-level people and then have everything. The bad guys are getting smarter, so we believe there is a need for role-based monitoring, which makes it easier to detect bad actions from good actions."
As an example, Chiu recounted last year's incident involving a drug company that terminated an IT administrator who allegedly regained access to the system at a later date and deleted massive quantities of data in less than five minutes. Prior to the attack, the suspect had apparently logged onto the system as many as 20 times in preparation for the attack.
"Each server and networking and storage device and data center could conceivably have their own set of configurations and management consoles," Chiu explained. "If you can hack into one of those, you could cause quite a bit of trouble. But with virtual infrastructure, all of that collapses onto one single software platform. So your customer may have gotten a 10x increase in efficiency and cost savings, but they now have out 100x increase in risk. This makes the super-admin even more powerful because they can access every system in the cloud, and they can copy and steal the data, and they could tamper with controls."
Chiu compares IDS and IPS to "building a moat around a castle," thereby taking action against external threats while doing nothing to protect against attacks from within the castle walls. He claims that SIEM platforms fall short of accurately detecting problems caused by internal malfeasance.
"Most internal attacks go unnoticed," he said. "Role-based monitoring provides a deeper examination of the context, looking at what was done as well as who executed the action, what is their job, what resources are they allowed to manage and what do they usually do. This enables you to zero-in and separate appropriate administrative operations from malicious ones."
NEXT: A Response To Customer RequestsThe HyTrust appliance essentially performs as a gateway to each management operation, and it can inspect each one separately. It then cross-references the actions with the roles of each user and correlates the likelihood of malfeasance. If the comparison suggests that the activity occurred out of policy, an alert can be launched, or policies could be put in place to terminate the activity until its validity can be verified.
HyTrust's Chiu concedes that role-based monitoring might not be fully effective in situations that involve stolen credentials, but he adds this solution supports two-factor authentication as a means of reinforced cloud security.
"Monitor mode has just been integrated into our virtual appliance solution, with an initial production release, aimed at key customers, set for next week," he said. "This is something that customers have been requesting, and we expect to begin extensive marketing efforts in May. It's a prepackaged virtual machine that you download and deploy in your VMware environment."
Chiu expects that the added functionality will be popular among both customers and channel partners.
"Everything that has not already been virtualized is at least on a path to be virtualized in the next year or two," he said. "Partners can come to their customer with the ability to deliver on very specific policies. You can say, for example, 'Alert me if somebody deletes more than five VMs in 20 seconds.' You can issue alerts based on actions or sets of actions for any enterprise resource being monitored."
PUBLISHED MARCH 13, 2013