LISA 2010: OS Security In The Cloud

Sunday, November 21, 2010

Jamie Adams


In November of this year, I attended the 24th Large Installation System Administration (LISA) Conference in San Jose, CA. LISA is an annual technical conference sponsored by USENIX: the Advanced Computing Systems Association.

On Friday, November 12th, I spoke at a “Guru Is In” session on “Security” where I was able to facilitate a discussion with all levels of system administrators (and an auditor) about compliancy versus security. We had a lively exchange of views and information.

I also had an opportunity to speak with John Arrasjid, a USENIX Director and Principal Architect at VMware. We talked about operating system security, cloud computing, and next year's LISA to be held in Boston, Massachusetts.

I really like LISA and USENIX. For one thing, the atmosphere is engaging but relaxed. Even though it comprises some of the best minds in the industry, there is no pretentiousness but rather a willingness to share ideas and experiences.

Outsiders would probably consider this eclectic blend of personalities and skill sets as strange whereas, the rest of us just consider it a comfortable environment which fosters an exchange of ideas.

There is no doubt that cloud computing is a hot topic these days. As an engineer, most of my career has been focused on operating systems and related security.

I find it interesting that some people tend to forget the operating system security fundamentals when it comes to cloud computing, hardware virtualization, and software virtualization.

In the end, it is still an operating system. A SUSE® Linux® instance running under an IBM® Integrated Facility for Linux (IFL) on System z® mainframe deserves the same consideration when it comes to operating system security.

Unused services should and must still be disabled, discretionary access controls tightened, and regular software updates applied. The same holds true when it comes to operating system images deployed in the cloud.

Given today's operational tempo, many organizations tend to quickly provision new operating system instances and virtual machines in order to handle increasing workloads.

When storage technology was growing at an exponential rate, some system administrators would frivolously allocate huge amounts of space as if there was a bottomless pit of resources.

By limiting the ports, services, and installed software on a virtual machine an image will ultimately conserve resources and reduce the attack surface.

Another side effect of rapidly provisioning new operating system images is a varying security state. Consider a standard image which may get deployed over and over.

This image has been “locked down” in accordance with some set of security guidelines. However, if the security guidelines or requirements change, how do organizations consistently reconfigure previously deployed images with the new standards?

One situation I've seen quite often is when an administrator would clone or snapshot an image. Then they apply new security settings to the image.

However, when a failure occurs they restore the image to a previous snapshot which does not include the recently applied security settings.

Technology facilitates today's operational pace however, without disciplined administrators willing to clearly document activities this situation can quickly get a out of control.

It is imperative that processes not be burdensome in order for the administrator to keep up the pace but still clearly understand their current security posture.

Of course, the right automated tools can be a great resource provided they are non-intrusive, easy to use, and perform consistently and reliably.

Cross-posted from Security Blanket Technical Blog

Possibly Related Articles:
Cloud Security
Virtualization Cloud Computing Operating Systems Administration LISA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.