As adoption of virtualization technology continues, organizations gain a new set of concerns when it comes to compliance audits, experts say. To deal with the situation, organizations need to have the proper management and monitoring capabilities in place.Virtualization adoption continues to grow, often outpacing efforts to secure
virtual environments, analysts say.
The most
common virtualization management problems, such as virtual sprawl and
separation of duties, should sound familiar to IT administrators.
"People are deploying virtualization as fast as they can, and they're
being slow to deploy the management tools and the compliance and security tools
that are really required," Michael Berman, CTO
of Catbird Networks, said in an interview with eWEEK.
Click
here to read about Trend Micro's virtualization security tools.
Berman spoke about this very issue Aug. 17 at the SANS Virtualization
Security Summit, in Washington.
Speaking to eWEEK, he said companies have reported being tripped up
during audits by issues such as inventory management and requests for access
logs for the virtual machine image file. For all virtualization's benefits, it
opens the door to a new class of management and security issues that must be
addressed in the name of compliance audits.
"Virtualization makes it a lot easier to spin up new servers, and quite
often change-management procedures relied on the fact that it was complicated
to get a new server on the network," said Gartner analyst John Pescatore. "[There
are] a lot of unpatched and misconfigured server clones showing up."
To
read more about the dark side of virtualization, click here.
Change management processes should have a strong administrator control/audit
trail at the virtualization server level, Pescatore said. He added that another
common problem is the crossing of security zones without thinking through the
consequences. Organizations should either not consolidate across security zones
or use software firewall images in the virtualization server to ensure that the
equivalent firewall rules are applied, he explained.
Chris Wolf, an analyst with the Burton Group, added that many organizations
assume that software-based zoning within the virtual infrastructure is
acceptable to security compliance auditors. But many auditors now require
physical isolation of zones of trust.
"Organizations must err on the side of caution, and when conducting a
consolidation assessment, security zoning restrictions must be considered,"
Wolf said.
But in Wolf's eyes, the biggest mistake organizations make is ignoring the
client.
"This is important because within many organizations, users run
client-hosted [Type II] hypervisors such as VMware Player or Virtual PC,"
he said. "Many users download server operating systems [that are unmanaged
by IT] and run them locally on their systems. The result of this practice isn't
much different than allowing users to build 'white-box' servers at home, bring
them to work and connect them to the LAN. A
couple of our clients have had users inadvertently connect a DHCP [Dynamic Host
Configuration Protocol] server VM to the LAN
that passed out bogus IP addresses."
The end result is a denial of service to several users, he noted.
"There are tools that can address this problem, such as VMware ACE,
but organizations have been reluctant to use them due to their added cost,"
Wolf said. "MED-V, which is bundled
with Windows 7, provides a framework for policy-based VM management at the
client endpoint."
At the end of the day, companies need to take a good look at their
infrastructure and understand their security needs, said Eric Chiu, CEO
of virtualization security vendor HyTrust.
"Companies need to look at the policies and mandates for their
organization and make sure they are covered in virtual infrastructure,"
Chiu said.
Network Security & Hardware 
/ 3 
