Who’s Talking to Whom? Who can do what to what? These two questions identify some of the biggest hurdles IT departments face.
The concept of access is not only related to individuals, employees, and users, but identifying applications themselves and their ability to access resources can be a huge challenge for companies. In fact, many breaches come from holes and weaknesses exploited from an admin giving an application a full access path to communicate with other sensitive resources.
SQL injections, web server exploits, and buffer overruns all stem from an attacker’s ability to trick an application into giving too much access, allowing them to run wild behind your firewall. Once they’re inside, the next step is privilege escalation, likely giving themselves administrative access to everything.
Applications, to a certain extent, can be more dangerous than individual users. Without being able to actually see how applications are intercommunicating, it’s next to impossible to adopt a strong security posture.
1. Monitoring Unauthorized Connections
Without insight into who’s talking to whom, it can’t be determined which network communication is sanctioned and which isn’t. If something malicious was going on, would you know? Would you get an alert?
If you did get some sort of alert, what would your reaction be? How would you remove this threat and identify the attack vector?
Most enterprises focus all of their security efforts on the perimeter and user endpoints. It’s fair to say that these are the two biggest attack surfaces, but what about inside your network, or “behind the firewall?” The east-west traffic between all of your servers, storage, virtualization platforms, etc., needs constant monitoring as well.
On the surface, it’s easy to say “We were hacked” as a sort of end-all be-all answer to why something happened. But at some point, harder questions are going to be asked, problem areas are going to have to be identified, and solutions will need to be implemented in order to shore up weaknesses in the infrastructure.
The issue at hand is the difference between a reactive response and a proactive one. Most responses are reactive. “Something happened. What do we do about it?” With a proactive approach, preventative measures can be put in place to not only alert admins that something is happening, but advances in monitoring software and intrusion prevention technology have allowed IT professionals to proactively thwart malicious attackers seeking access to your company’s resources.
2. Device Management
Managing hardware infrastructure isn’t anywhere near as bad as it used to be. Prior to virtualization, every single server had its own firmware, management software, device drivers, and operating system software that needed to be continually monitored and maintained. Although the outlook is better now, this challenge has not completely gone away with virtualization. We still have our VM hosts to manage and maintain, but it is significantly better than it was before when it comes to the sheer numbers of devices and the data center footprint to be managed.
Managing hosts and various devices within an infrastructure requires mounds of specialized and proprietary software from the device manufacturers. If not configured or interconnected properly, this is yet another silo of micromanagement needing to be configured, maintained, and backed-up.
In addition, outside of widely deployed virtual desktop infrastructures (VDI), one cannot dismiss the attack surfaces inherent in end-user desktops and devices as well. More than ever, users are introducing their own laptops and mobile devices into their work life, connecting them to your networks, and storing company data on them. This is a component of a phenomenon known across the industry as “shadow IT.”
3. Shadow IT
The term shadow IT can raise an eyebrow when it’s mentioned, so let’s define it.
Shadow IT is a phenomenon where users within an organization deploy and consume technology services that are not under the control of the corporate IT organization. For example, using a cloud-based file storage and sharing service like Dropbox apart from the blessing and oversight of IT would be a good example of shadow IT.
The practice of circumventing corporate IT policies and using alternative tools in order to get work done is understandable, even if it’s not allowable. Users want to be able to do their jobs effectively and with as little friction as possible; if corporate IT can’t or isn’t willing to provide the experience they’re looking for, users will probably look elsewhere. The problem with letting things get to this point is that it poses a massive security risk.
End users employing applications outside the purview of IT exposes the organization to the risk that sensitive company data will be obtained by unapproved parties. It also provides an additional attack vector for bad actors to use to infiltrate the network and begin wreaking havoc inside the network. Needless to say, it’s important that IT stays on top of shadow IT.
4. Transaction Forensics
Speaking of auditing, a phrase that has become more and more common in recent years is Transaction Forensics. While this is mostly found in global e-commerce markets and mergers and acquisitions, some of the principles can be applied to infrastructure, application, and user activity throughout the entire data center. Think of it as logging, but extremely organized, where every communication and every event is logged in a way that highlights who and what was interacted with.
Being able to instantly identify who did what, to what, and when, is one of the most complex auditing challenges an IT organization has to deal with on a daily basis. Having strong audit logging and transaction forensics in play can make or break some organizations, especially those that are public entities or government institutions. Considering the threat landscape today, this is not a nice-to-have feature, but a requirement—especially for those kinds of IT departments.
At Uila we recently published a new book entitled The Gorilla Guide to … Application-Centric IT. In this free book, you’ll learn:
- The advantages of an application-focused approach to IT
- How application dependencies can simplify workload migration and resource planning
- Start the journey of developing a "full stack" mindset for managing applications
- Navigating the Flow: Understanding East-West Network Traffic
- The imperative of full-stack observability
- What's new in Uila uObserve v5.5
- What's new in Uila uObserve 5.1?
- Most important aspect of VDI troubleshooting
- Importance of logging analysis in the Observability World
- Uila Success Story: Baron Capital
- Uila at VMware Explore US 2022
- What's new in Uila 5.0
- What's new in Uila 4.6?