Today I will talk about VMware Security and Ransomware Protection and give some hints and tips you can use in your daily operations to protect your environments.
During the COVID19 pandemic we have seen a huge increase in cyber threats. Ransomware is not only about earning money but selling decryption keys but is becoming more and more the stealing of data and ransoming that off.
VMware has different ideas and solutions around security and protection. The main gateway to this information is the Ransomware Resource Center. Here you can find a lot of useful information on protection your environment.
Below I have listed some of the most important things to keep in mind when it comes to securing your environment.
Keeping your environment up to date
This is the most obvious one. However you will be surprised how often updates are lacking behind. I cannot stress enough the importance of keeping your environment up to date. We have seen several incidents where the lack of patching caused huge impact, both in a technical sense but als financially.
Make sure you have proper procedures in place for security vulnerabilities considered “Important” or “Critical.” Do not wait for the next maintenance window but execute as soon as possible. Also make sure you register to security advisories from VMware to receive the latest information in your email.
The vSphere portfolio has lots of possibilities to help you automate your patch management. But vSphere also has a lot of resilience build in to minimize impact and downtime. Think of features as vMotions, DRS or vCenter HA.
In this document you can find some useful tips on keeping your vSphere environment up to date.
Making sure backup and DR solutions are inplace
The Second most important thing is, in my opinion, to have proper backups in place.
And with proper I mean not only making backups but also making sure you can use your backups to restore environments. Do regular tests, maybe every 3 or 6 months to make sure you backups are valid. This also gives your administrators the option to test their skills and keep them updated because in emergency situation this will be very helpfull.
Another thing to keep in mind in regards to backups is the 3-2-1 rule. The 3-2-1 rule is basically this:
- There should be 3 copies of data
- On 2 different media
- With 1 copy being off site
Sounds easy enough but as you read this ask your self; Do I have this kind of backup setup in place?
I found this article from VEEAM rather insight full in regards to the 3-2-1 rule. So if you want to see what 3-2-1 is all about hop on over to the article. This is b.t.w. not a recommendation or anything or a promotion to start using VEEAM as your backup product but rather a nice read and explanation in a short blog post that caught my attention.
In term of disaster recovery the above advice stands. Make sure you have a tested and proven strategy in place. But also make sure you are aware of the time it takes to recover and be up and running again (RPO/RTO). Also do not confuse Backup with DR. With a backup you have your data stored somewhere else but in case of an emergency that is not related to for instance ransomware, like a fire, you do not have a location or equipment to restore to.
Officiously there are the hyperscalers and other cloud solutions you could quickly start using but it takes time and effort to set that up and if you have massive amounts of data restoring will take forever.
VMware products that can help you with your DR setup are things like Site Recovery Manager (SRM) or VMware Cloud Director Availability.
Seperate management authentication
With phishing attacks becoming more and more a daily threat it is import to make sure you have seperation of managent authentication in place.
Some things to keep in mind here are:
- Have dedicated administrative accounts in place
- Do not use accounts with the highest rights available (for instance do not use the Enterprise domain administrator account when managing Active directory)
- Do not expose important infrastructure components directly to the internet
- Have only people (vSphere administrators) that need access to specific resources like vCenter been granted access. Do not just hand out access because it could be handy or easy.
- Separate network segments
There are so many components involved to make sure you are properly prepared to fight of Ransomware attacks that I will not go into all of them here but rather point you to this great document from VMware which is very detailed and comprehensive.
But there are some general ideas or tips to keep in mind aswell:
- Train your users, make sure they are know how to deal with suspicious activities or password management for instance:
- Social engineering
- Sloppy password management (post-it notes…)
- Do not share confidential information, making sure you check company policies around information security
And of course as I pointed out in the beginning of this blog there is the Ransomware Resource Center.
Some nice things to look out for in the RRC center and other resources are:
- Practical Ideas for Ransomware Resilience in VMware vSphere Environments
- Security configuration guides
- Patchmanagement of vSphere environment
- VMware security advisory
- Carbon black
- VMware Security Solutions
I hope the information I shared is useful and that you have some new and fresh insights for your own environments.