 "Systematic Workload Reprovisioning To Become Prevalent")
One of the toughest problems in information security is addressing advanced intrusions that have bypassed traditional security controls and now reside undetected on enterprise systems, according to Gartner, Inc. With advanced threats that are financially motivated and targeted including state-sponsored “advanced persistent threats,” intrusions can remain undetected for extended periods of time.
“Once an advanced attack has gained a foothold in a system, the intrusion can remain undetected for extended periods of time, either because a signature isn’t available to detect the intrusion or because it has compromised the host operating system at a deep level, so that it remains cloaked and undetectable by endpoint security controls,” said Neil MacDonald, vice president and Gartner fellow.
“New approaches, such as systematic workload reprovisioning, are needed to counter these advanced threats, and will require fundamental shifts in the way security professionals think about the ongoing security and management of server and desktop workloads.”
The principle behind systematic workload reprovisioning (SWR) is straightforward: periodically rebuild and reprovision server and desktop workloads from a high-assurance library of base image files. Gartner analysts said that with the uptake of server and desktop virtualisation techniques at the OS and application level, new scale-out resilient application architectures, and today’s advanced threat environment, the time has come for enterprises to adopt a SWR strategy.
“A SWR strategy reduces the dwell time of an intruder and will appeal to information security professionals looking for new ways to counter advanced intrusions for high-risk workloads,” MacDonald said. “Systematic reprovisioning of workloads from high-assurance repositories will become an accepted strategy for high-risk workloads to counter advanced intrusions during the next five years.”
Gartner predicts that by 2016, more than 20 percent of enterprises will adopt a SWR strategy for high-risk, server-based workloads, and more than 60 percent of enterprises will adopt a SWR strategy for hosted virtual desktop workloads.
Although workload reprovisioning isn’t a new concept; proactive and systematic workload reprovisioning is. With SWR, the process of restoring workloads back to high-assurance states becomes the norm, not the exception, and it will become an automated, not manual, process. By periodically resetting workloads back to a high-assurance state, information security professionals proactively remove deeply rooted malware from the system, making it nearly impossible for advanced intrusions to persist, and minimising the dwell time of undetected intrusions.
All high-risk workloads should be periodically reprovisioned, even if they appear to be healthy. Rather than live workloads being trusted, the model of trust is reduced to the high-assurance libraries and templates used to reconstruct the workloads. Workloads will be reprovisioned and restored back to a high-assurance state on a regular basis.
“Although the principle behind SWR is straightforward, the change in mindset is significant” MacDonald said. “With an SWR strategy, workloads in production are not trusted and are considered compromised. With today’s advanced threat environment, we must adopt this change in thinking and adjust our security and operational strategies to reflect this.”