January 31st, 2013
We’ve never really been adept at dealing with insider threats. Some organizations have internal detection and monitoring programs, usually aligned with anti-fraud efforts, and some also include more robust forensics programs to look for evidence after-the-fact, but we still have a problem with insiders. With the proliferation of virtualization and cloud computing, we have more trouble than ever. There are two trends I see that explain this.
First, let’s talk virtual environments. A number of things tend to happen in virtual infrastructure that can lead to poor privileged user management and monitoring practices. First, many shops hand virtualization over to an existing admin group, like say…the Windows team. Not a great move, for a lot of reasons. This team still has to manage their existing systems and infrastructure, like Active Directory, DNS, and other platforms and applications. This means they’re part-time virtualization admins, at least for a while. A lot of folks think virtualization is easy, and it is…to a point. But virt technologies can suffer from neglect just like any other systems and apps can, and missing patches and failing to implement configuration controls can have a devastating effect.