New security threats baffle IT professionals

As enterprises seek out ways to reduce IT costs, optimize resources and improve operational efficiencies, three technology trends have started to dominate: virtualization, service-oriented architecture and mobility. More promising yet is the intertwining of these unique technologies.

Some examples: Mercy Medical Center, in Baltimore, is piloting virtual desktops rolled out on encrypted USB devices to its mobile doctors and residents. RedRoller, an online-shopping comparison service in Stamford, Conn., created an SOA to connect its small-and-midsize business (SMB) customers to best pricing at shipping carriers — a system that’s likely to go virtual down the road.

Delaware Electric, in Greenwood, gives field workers with tablet PCs access to an SOA infrastructure.

What does this mean from a security perspective? It means myriad new layers of risk being created along the stack — all of which must be securely deployed and managed. “We’re talking layers and layers you need to pay attention to, both in isolation and also where they’re mixing up with unexpected interactions,” says Dennis Moreau, CTO of Configuresoft, a configuration management company.

Take the virtual machine environment. This environment comprises a virtual machine manager (VMM) or hypervisor that’s shimmed between the kernel and the host operating system to create a layer of layers, or as some call it, a “virtual stack.” In that stack are the hypervisor and guest layers that call among themselves and cannot be monitored by most of today’s tools.

“There’s a whole series of security dilemmas IT professionals are facing with these new technologies,” says M. Victor Janulaitis, CEO of Janco Associates, an IT and business analysis firm. “The most prevalent problems are change management and version control, all the way to the cellular phones,” he says.

Best practices, standards and tools are emerging, but they’re mostly piecemeal, open to interpretation and incomplete in their coverage. Today that makes comprehensive management of any of these technologies problematic.

Security for the virtual layer

By 2009, two-thirds of organizations will be using virtualization in some significant way, according to a November 2007 report from Forrester Research.

That organizations clearly are implementing these technologies despite their inherent risks is shown by two surveys with Network World’s Technology Opinion Panel conducted six months apart.

In a June 2007 poll, 64% of 707 respondents said they believe virtualization increases their security risk. Yet in January, 60% of 977 readers polled said they were not holding back on these and other new technologies despite security concerns. This might indicate a rushed migration, but adopting enterprises really are taking their time thinking things out and starting with their noncritical systems, Configuresoft’s Moreau says.

“As you look across the virtualization stack, one of the dominant issues for enterprises is the lack of a holistic, coherent resulting view, so they’re going after their low-hanging fruit,” he says. “Some of our largest customers . . . are only virtualizing those assets that don’t have rigorous audit and due-care requirements.”

At Mercy Medical, a 6,000-user teaching hospital, not only is the virtual desktop pilot underway but also a large-scale server virtualization project. Mark Rein, the center’s senior IT director, is a fan of the efficiencies produced by virtualization, but he’s also aware of the risks. So, his organization is taking due care with proof of concept, mapping of system interdependencies, and testing before putting anything in a beta production environment.

For example, the center’s virtual desktop pilot began with 400 doctors and residents in January. Ultimately, Mercy Medical plans to issue keys to its mobile home nursing staff.

In February, after completing a proof of concept, the center began consolidating 240 data-center servers with the goal of reducing the number of servers to 70 by year-end. The consolidation is rolling out in phases, with the virtualization of 50 noncritical servers — machines that aren’t directly connected to a patient’s care — coming first.

You multiply your risk of failure when you move to virtual-server consolidation, Rein says, because losing one physical server means losing 50 virtual machines at the same time. So, Mercy Medical relies on double redundancies and failovers at the physical and virtual machine layers. (For more on Rein’s security strategy, see “From firewall to ‘firebox’ for the data center.”)

Also in need of protection are the VMMs themselves. VMware’s ESX, Citrix Systems’ XenServer and Hyper-V by Microsoft are lightweight operating systems unto themselves that make tempting exploit targets for attackers, particularly through SSH commands and other administrative paths, says Dave Shackleford, CTO of The Center for Internet Security and co-author of the virtual security benchmark.

As Rein says, “You can build antimalware and security controls into your virtual-machine gold builds, but you can’t see what they’re doing among themselves in their virtual networks. Nor can you monitor calls between hypervisor and virtual machines for anomalous behaviors. Are we to believe they’re safe because [management vendors] say so?”

To address the management problem, Microsoft acquired Calista Technologies in January. It likely will add Calista’s integrated virtualization management and security technology to its System Center Virtual Machine Manager software. What remains to be seen is whether virtual-machine makers that take on the management of their own systems would permit the visibility into machine behavior that’s needed by IT executives like Rein.
For example, Novell’s ZENworks Orchestrator life-cycle manager can tell you if a virtual machine spinning up from suspend, or sleep, mode is an approved virtual device. It can’t monitor its virtual machines’ behavior for anomalous findings and send alerts, however. For that, Novell defers to external tool providers, says Richard Reed, director of product marketing at the company.

Two such tools are Blue Lane Technologies’ VirtualShield and Reflex Security’s Virtual Security Appliance (VSA). They monitor for malicious traffic entering through the hypervisor and between virtual machines.

Rein says he is interested in the Reflex tool but is waiting for the company to come out with a component for his Microsoft environment. Reflex, in turn, says it is waiting for the official release of Hyper-V, expected late this year, before adding a Microsoft component. VSA is a virtual machine that sits on virtual networks watching for anomalous virtual-machine behavior. It currently supports VMware’s ESX Server, Citrix XenSource and Virtual Iron Software’s Virtual Iron.

For now, Rein is using PlateSpin’s PowerRecon management tool to get a look into what’s happening inside his virtual environments. Part of PlateSpin’s popular virtualization-deployment platform, this component supports such management functions as resource allocation and chargeback capability.

Monitoring a guest machine is not as easy as tweaking host and application security to handle all things virtual, says Chris Farrow, director of product management at Fortisphere, which uses a tagging technology to track virtual guests and block untagged machines from going live on the host.

“Guests have their own challenges. A guest in the virtual world could be live on the network, live but in a host-only mode waiting for its host’s command, or in suspend mode waiting to be spun up at any moment. Version control is a big point because you need to know what condition they’re in before they go live,” he says. “You also have the hypervisor. Is it patched and configured correctly? Is it running securely in its activities and communications?” (See “No patches, no place on the virtual net,” below.)

Such are the layers of security addressing the layers of risk brought about by virtualization: Virtualization-specific point products that run separately, traditional network and system management products tooled to cover some VMM issues (without looking into the virtual machine activity itself), and problem-specific security tools reset for virtualization.

Note that none of the products mentioned so far does anything to cut down on virtual machine creep outside of the controlled data-center environment.For example, many mobile Mac users are running virtual machine images of Windows computers so they can access their Windows data on their Macs, Novell’s Reed notes. “You’ll need to further integrate your endpoint security to protect against rogue virtual machines installing on your endpoint devices,” he says.

Those virtual desktops also will need management. The easiest fix would be using virtualization itself to control the builds and protect the operations of mobile computers, Mercy Medical’s Rein says.

“We can virtualize desktop images into small, inexpensive portable devices, encrypt them, and send them out into the world where they run separate and secure from the host machine, then leave no trace behind when the key is removed,” he says. “Imagine the efficiencies in patch management, updates and version controls for your endpoints,” he adds.

Security for the application layer

Version and configuration controls also are big considerations for SOA, with increasingly mobile application messaging infrastructures being built on the XML-based SOAP protocol.

Web applications have been the No. 1 attack vector for the past two years. Start tying those applications together, and give them access to partner systems’ back ends over a Web-services front end, and you’re going to see attackers exploit this channel to get into back-end systems, consultant Janulaitis says.

As such, RedRoller and other enterprise SOA shops are finding themselves in tough spots when it comes to updating and patching.

“There’s no way we could provide the technology that we do to our SMB customers without our carrier partners providing access to us so we can present their pricing, peak rates and times,” says Jason Ordway, CIO at RedRoller. “We had to start out with very basic, XML-based APIs, but shipping companies are moving up the chain to full-blown, enterprise-level Web services. This is great, cool and neat, but we have to change things on our side because they’re sunsetting our older APIs.”

Even if back-end systems were fully standards based, version controls still would be problematic, Ordway says. He describes the problem: Periodically, RedRoller’s shipping and supplies partners update their systems. They might raise transaction costs, change surcharges or update service locators multiple times a year — or in some cases, monthly — per carrier.

While new API releases are fully backward compatible, translating those updates to RedRoller’s shipping applications, and then playing them forward to eBay, IBM and other connectivity partners selling the company’s services is cutting deeply into the bottom line.

“With every new release we go through a compliance procedure,” Ordway explains. “Soup to nuts, we walk through our existing applications, their outputs and drivers looking for interdependencies across the systems and fields of data being changed,” he says.

Another security concern revolves around the parsers used in applications to translate XML into HTTP, a language universally accepted by IP firewalls. Companies using third-party parsers need to ask whether and how security hardening has been done on the parsers themselves, says Steve Orrin, director of security solutions at Intel, which offers the SOA Security Toolkit, a standards-based SOA-messaging platform that can be installed in the application server. In addition, developers need to bake security testing and hardening into their cycles.

At RedRoller, file and field encryption play big roles in protecting user and order information in databases. For transmitting SOA messages, it relies on SSL to and from its carriers and participating merchants, and through its system to the user’s browser.

Orrin points to Web-application encryption standards from the Open Web Application Security Project, SOAP encryption standards and others to help build consistent encryption and authentication rules that can follow across these applications.

Gari Singh, product manager for IBM’s SOA WebSphere Security Gateway products, agrees that encryption is a good best practice, and points to standards such as Security Assertion Markup Language and x.509 certificates that go along with the message to validate at the gateway. But the unintended consequences of an encrypted malicious HTTP payload getting through firewall defenses are worrisome, he says. “Now, with an encrypted message, the firewalls and [intrusion-detection systems] have no way of checking for a malicious payload going through their Web ports.”

Don’t forget, Singh adds, that this connection is going right back to participating partners’ servers — pathways that could be exploited through specially crafted XML messages and hacking parsers (see “Four types of emerging SOA threats,” below).
Experts say federated-identity networks will be critical in managing credential-checking-request messages traversing multiple systems belonging to multiple owners in an SOA. Singh likens these networks to governance networks that will require an intermediary to handle provisioning and rights metadata.

And so the layers deepen. By 2011, IDC predicts worldwide spending for SOA-based initiatives will reach nearly $14 billion.

Security for the mobility (and portability) layer

SOA already is intersecting with mobile devices at such companies as Delaware Electric. With one field-automation application, for example, workers there can order materials for system designs from wherever they are using tablet PCs. Using these devices, electrical-systems design engineers do everything from laser-surveying GPS points to designing and laying out the wires and meters.

“Enabled through SOA, we’re able to expose the tablets to an XML interface, and push that data to an accounting and business platform that takes care of materials reservations and supplies,” says Gary Cripps, the utility’s CFO.

Mobility should foremost be handled through encryption, says Mark Burnette, executive director of IT operations and security at Gaylord Hotels, a hotel chain in Nashville, Tenn. One need only look at the number and types of privacy breaches posted on the Privacy Rights Clearinghouse Web site to realize mobile laptops will continue to be a leading vulnerability. They are “a huge risk exposure,” he says.

As part of its compliance efforts, Gaylord Hotels last fall deployed Credant Technologies’ FIPS 140-2-validated Full Data Encryption2 technology. With it, the company has encrypted data on its 800 Windows laptops.

Protections for mobile devices — at least laptops and BlackBerries — are more mature than those for virtualization and SOA. This is particularly the case with network-access control (NAC)-based endpoint management coming of age, says Rob Israel, CIO at John C. Lincoln Hospitals in Phoenix. Last year, Lincoln Hospitals allowed browser access to patient charts, reports and documentation for 800 clinicians and processing partners over their desktops, laptops, BlackBerries and other PDAs.

The organization is using Lumension Security’s PatchLink Update (in combination with other Lumension NAC-based application- and device-security products) to manage updates.

Encryption also will merge with endpoint security management; earlier this month, for example, Symantec added endpoint encryption to its endpoint security suite. Overall, Gartner estimates endpoint security platforms will become a $3.6 billion market in 2009.

Cell phones already are accessing their employer networks to get e-mail and other functions, experts say. At Mercy Medical, the technology team is studying unified messaging services to roll out to its cell phone user base this year. The goal is to replace its e-mail-only application.

If these types of applications are going out to user-owned phones, they’ll be increasingly difficult to protect, says consultant Janulaitis, who predicts that over the next few years, U.S. network carriers will be forced to uncouple their networks from their phones and follow the model that’s happened outside the United States. “Then users will be using voice over IP over the cellular network, picked up by Wi-Fi hot spots wherever they travel.”

Oh yes, let’s not forget that layer, with Wi-Fi Protected Access the prevailing encryption and security standard for Wi-Fi networks.

Retailer Circuit City uses Wi-Fi standards to segment networks at store locations as a point of security, says Steve Alexander, information security architect at the Richmond, Va.-based retailer. One network is for sales assistants who use tablet PCs to access only the public Web site and answer customer questions (they do not intake customer information).

The Repairs department gets its own wireless network, which especially must be kept separate because computers coming there usually are infected with some type of nasty. And cash registers, for now, are wired.

“It’s not a matter of ‘do this, fix that,’ and you’re secure,” Alexander says. “It’s a combination of many layers of security at many levels, across your infrastructure.”

Deb Radcliff is a freelance writer covering computer crime. She can be reached at

Share on LinkedIn Share with Google+