Skip to main content

Securing the Control Plane

Mar

06

2019

Time to read

Read so far

Written by: 

Govindarajan Rangarajan

Time to read

Written by: 

CMMC_1000x420

Infrastructure Security is primarily comprised of the following:

  • Control Plane Security
  • Endpoint Security
  • Network Security

Control Plane Security: The focus of this blog post is around securing the management platforms used for provisioning the compute/network/storage infrastructure. The various business applications/services run on the infrastructure provisioned using management platforms. As customers adopt a multi-cloud strategy they rely on a variety of management platforms such as vSphere Virtual Center, NSX-T Manager, Kubernetes Orchestrator or public cloud management platforms such as AWS, Microsoft Azure and Google Cloud Platform to provision the workloads.

Endpoint Security: The focus of this category is to ensure the various desktops, mobile devices and even VMs are properly secured. Typical endpoint security controls are as follows:

  • Anti virus protection
  • Vulnerability management
  • Patch and configuration management

Network Security: The focus of this pillar is to ensure the network communications and the perimeter are properly secured:

  • Making sure the north/south traffic is secured thru firewalls
  • Properly secure the east/west traffic and microservices communication thru micro segmentation

Even though all of the above aspects of Infrastructure Security are important, securing the Control Plane is critical, as any compromise to the Control Plane security posture can have a far reaching effect.

In this article we highlight the various aspects of securing the Control Plane, which is in fact, the very focus of our HyTrust Cloud Control (HTCC) product.

Securing the Control Plane

Fine-grained Access Control: This is about who can do what operations. Access to management platforms such as vCenter, Kubernetes, AWS etc. should be properly configured to  ensure following:

  1. Notion of least privileges
  2. Separation of duties

Configuration Hardening: The various control plane resources such as VMware vCenter, vSphere ESXi hosts, AWS accounts and Kubernetes orchestrator need to be properly hardened based on industry best practices such as CIS benchmarks and/or relevant regulations like PCI DSS, NIST 800-53 etc.

Root of Trust: It is essential to make sure the systems where the critical applications are running are trustworthy. Attestation technologies such as Intel TXT, vTPM, Docker Notary and secure boot technologies such as UEFI could be used to establish the trustworthiness of workloads such as hosts, VMs and containers.

Secondary Approval: It is important to have additional level of authorization (a.k.a  two person rule) for operations performed on sensitive workloads like managing personally identifiable (PII) data and operations that are deemed disruptive like powering off VMs. 

Container Image Assurance: The focus of Image Assurance is two fold:

  1. Ensure the images that are being built are properly secured before pushing them into the container registries. For example, during the continuous Integration (CI) phase make sure proper security controls are in place to scan the images for vulnerabilities and digitally sign the images before placing them in registries.
  2. During Continuous Deployment/Delivery (CD) phase make sure proper security policies are in place to ensure only the relevant images are being allowed to be deployed. For example in a Kubernetes environment,  you might want to have suitable deployment control policies based on the following:

    • Not allow public registries
    • Only allow select private registries
    • Maintain a whitelist/blacklist of images based on attributes such as version, vendor, content etc.
    • Vulnerabilities in the image itself

HyTrust Cloud Control (HTCC) has been purpose built to secure the dominant management control planes such as vSphere vCenter, NSX and very recently has added support for Kubernetes & AWS.

Contact us today to try out the early access version of HTCC 6.0.