Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.
Category: IT Security
Sep 13
Survey: What questions does the security guy ask all the time?
You’re the virtualization admin. Your security guy comes up to you, looking for information. You really don’t want to give him an account on vCenter, do you? (according to a group discussion session I did at VMworld, the answer was clearly “No” with some being a little more colorful by using the term “NFW”!)
But lets face it, the IT Security folks do have a job to do and they really could use information on a regular basis to do their job. Let’s see if we help them by helping you, shall we?
Give us questions, we’ll give you answers
I’m looking for examples of the types of questions IT Security needs regular answers to. Alan Renouf and I are mulling some ways to help both of you out. No details yet but having Alan involved should give you a hint! :) Give us the questions, let us surprise you.
I’ll start this off with some examples:
Security Guy: “I need to see….
- all the virtual machines that have a CD drive attached
- what virtual machines are on what network/switch/portgroup
- what virtual machines are on what storage device
- what roles are assigned to what users
- ESXi server SSL certificate details like when they expire
- What vSwitches are in promiscuous mode
- any vDS port mirroring details
- the ESXi shell interactive timeout values
- what the syslog IP address is set to on the ESXi servers
Based on that, start posting the questions! We’ll try to get as many included in this little project we are working on. We hope you like it!
mike
Oct 10
Dude, that’s so Meta
This isn’t going to be a blog posting about me writing a blog post. No, I’m referring to metadata. I recently read an article on Digg about Apple’s new Maps app and the accumulation of metadata. The amount of stuff Google, Apple, Amazon, etc are collecting is huge. Read about this recent Apple patent on metadata and what sorts of things they are planning to use it for. (this is a must-read by the way)
If you’ve been following my rants…er…blog, you’ll remember a posting recently where I talked about metadata in a virtual environment. Well, for a change and because this is a short post, I’m not going to talk about virtualization..
Nope, I’m thinking of the metadata itself. More and more applications and devices are generating metadata. Location information, accelerometer data, usage patterns, etc…(see that Apple patent I mentioned earlier!) Lots of great data that I believe will eventually be consumed by security vendors. Many in the industry are investigating the use of metadata to provide multi-factors of authentication. But here’s my worry. How much of that data can you trust? Meaning, is the data valid? Was the device that generated the metadata compromised? Was the email and calendar server that we’re storing our work and home life compromised and some data changed (example: location data of a meeting last week)? If we are using metadata for factors of authentication, can we live with some of it being compromised or of questionable value? I say “Yes”. Read on…
My new security term – The Tidbit
tid·bit
[tid-bit]
noun
1. a delicate bit or morsel of food.
2. a choice or pleasing bit of anything, as news or gossip.
I’m a foodie so let’s run with the “morsel of food” analogy, shall we? One morsel isn’t going to make a meal. But, like going to a tapas bar, when you order up a bunch of tasty morsels you’ve got yourself a meal. Let’s think of that in the context of security. Now, just one tidbit, in this case, your current GPS location, isn’t going to get you thru the VPN, but what about multiple tidbits? Will that be “good enough” to replace passwords for some folks? (probably. I’ve seen crazier things happen) Will that make a “secure” meal? Obviously, that’s a decision of for you to choose. I always like to say “apply the right level of security based on the sensitivity of the data”. For some things like accessing a corporate web page that only contains reference information then a couple of tidbits might be ok. But for VPN, because it’s far more intrusive into the corporate infrastructure, I might need two or more tidbits PLUS SecurID.
But what if the metadata is compromised?
Ok, now that we’re looking for that security meal that will allow me access to what I need to get to, we have to start to think of how it can be compromised. Like a meal, will one bad tasting tidbit kill me? Probably not. I’ll probably spit it out and push it off to the side of my plate.
Well, if I’m using all these cool geek tidbits like GPS, accelerometers, photos, meeting information, etc, I can then safely toss any that are suspect and maybe bring a new tidbit online to replace them. Or maybe, I’ll change from the server side what tidbits I’m looking for randomly, ensuring that I’m staying one step ahead of the bad guys. (Hey, that’s adaptive authentication!) After all, what I’m looking for is a sum of the parts, not the parts themselves. Just like a bunch of unclassified data, when put together, can produce classified data.
The point being here is that no longer will we have a one size fits all methodology to authentication. There are new methods for verifying people on the horizon. Mash that up with Big Data and you get a world where in order to confirm a transaction on your mobile phone the app (and back-end server) knows you’re in Lowe’s and tells you to go to Aisle 16 and scan the bar code of a specific product before it processes your transaction.
Feasible? Sure. Practical? Well, we’ll see, won’t we?
Your thoughts?
mike
You must be logged in to post a comment.