Data center and virtualized security are built in the image of traditional campus network security. Using the network perimeter as its model, the industry first focused on recreating firewall-like abilities to segment and enforce rules on the flow of traffic in the virtual data center.
This included simply porting traditional firewalls to run as virtual machines, and then progressed into more agent-based segmentation models that were closely integrated with the virtualization platform software itself.
Both approaches are largely focused on how to enforce policies within the cloud data center. However, creating and enforcing rules is not the same as catching cyber attackers. At the perimeter, firewalling is complemented with a variety of threat detection and prevention technologies, such as IDS/IPS, anti-malware solutions and web filtering. And like their firewall brethren, many of these perimeter threat prevention technologies have been simply ported over to run on virtual machines to replicate the campus network security architecture.
The problem is that cloud data centers are not simply perimeter security 2.0. Cloud data centers often encounter cyber threats in the more advanced phases of attack than the perimeter, and likewise, will experience different types of threats and attack techniques. Specifically, perimeter threat prevention is overwhelmingly focused on detecting the initial compromise or infection (e.g. exploits and malware). Cloud data center cybersecurity must focus on detecting attackers who have already compromised the perimeter and have moved on to more advanced attack phases, such as internal reconnaissance, lateral movement, and data exfiltration.
Native integration with virtualized environment
In addition to detecting advanced phases of an attack, data center cybersecurity must be natively integrated with the virtualization platform. An analysis of cloud data centers shows that 80% of traffic stays inside the data center. At the most basic level, a security solution must be within the virtual platform to have visibility into potential threats.
Unified visibility for all teams
In addition to detecting active attacks, it is necessary to have unified visibility into data center security that spans operational teams. By nature, cloud data centers involve the work of multiple teams, each with their own priorities and timelines. Developers are typically driven to build applications quickly and the virtualization team often wants to deploy and support them as quickly as they can. Consequently, the security team is not always aware of changes that are made in the virtual environment.
The critical attack vectors
Data centers and the wealth of information they contain represent the ultimate prize for attackers. But unless the attacker gets lucky and finds an Internet-facing vulnerability, compromising a data center takes a significant amount of effort and planning. As a result, cyber attacks that target data centers tend to be patient, mature operations that emphasize persistence and require flying below the radar of security teams. This section examines the critical attack vectors and techniques that sophisticated cyber attackers use against data centers.
Co-opting administrative access
Administrators have unparalleled access to the data center and as a result are natural targets for attackers. Administrative protocols can give attackers backdoor access into the data center without the need to directly exploit an application vulnerability. And by using standard admin tools such as SSH, Telnet or RDP, attackers can easily blend in with normal admin traffic.
Closing the local authentication loophole
In addition to the standard paths utilized by administrators, many data centers rely on local authentication options that can be used in an emergency. For example, if a domain controller or other authentication infrastructure fails, admins still need the ability to manage the data center. In these cases, admins rely on local authentication to access the hosts and workloads they need to manage. However, these local authentication options are not logged and the same login credentials are often shared across hosts and workloads for the sake of simplicity. While essential, these local authentication channels present a serious risk to the security of the data center. When attackers find the credentials by compromising an administrator, they can silently access the data center without fear of their activity being logged.
The administrative hardware backdoor
Local authentication offers an example of a backdoor that administrators – and attackers – can use to gain access to a data center. However, there are other examples that take the same approach and extend it deeper into the hardware. While the data center is synonymous with virtualization, the virtualized environments and resources still need to run on physical hardware. Virtual disks are ultimately dependent on physical disks, and the physical disks run in physical servers.
Keeping an eye on data
The ultimate goal of most attacks is to steal data. Therefore, it must be the ultimate goal of security teams to always to identify attacks well before data is accessed, including attacks at the exfiltration phase. Depending on their needs and skill level, attackers can use a variety of approaches to smuggle data out of the data center.
The most obvious approach involves moving data in bulk out of the data center, either directly to the Internet or to an intermediate staging area in the campus network. Subtle attackers may attempt to stay low-and-slow by patiently exfiltrating data at rates that are less likely to be noticed or arouse suspicion. Efforts can also be made to obscure data exfiltration in hidden tunnels within allowed traffic, such as Web or DNS traffic.
Blending physical and virtual context
Data centers are unique to their own organizations and vary based on applications and how users interact with them. The most common type of data center today is the private enterprise data center. Attacks against these data centers are typically extensions of attacks against the larger enterprise. For example, attackers may have initially compromised an employee laptop via a phishing email or social engineering. Next, attackers typically look to establish persistence within the network by spreading from the initial victim to other hosts or devices.
With their wealth of data and applications, today’s data centers are the ultimate prize for cyber attackers. Yet while most data center security has focused on protecting the virtualized layers of the data center, real-world attackers are increasingly subverting the physical infrastructure that the data center depends on. It is imperative to have the ability to identify cyber attacks that target data centers. With advanced detection models that expose attacks against application, data and virtualization layers in the data center, as well as the underlying physical infrastructure, security teams will be able to address critical vulnerabilities at every layer of the virtualized data center.