Cloud Computing Security: 10 Tips for Protecting Virtual Systems

 
 
By Chris Preimesberger  |  Posted 2012-11-21
 
 
 

Traditional Security Controls Still Apply

It may seem obvious, but many administrators forget to enforce basic security procedures and processes as they transition to a virtual setting. Antivirus, antispyware, firewall and intrusion prevention must be available on the server and host virtual platforms. Be careful, however, as these important security updates may create a storm-like environment that causes an unintentional denial of service.

Traditional Security Controls Still Apply

Protect Your Hypervisor(s)

At the top layer of your virtual environment is the greatest opportunity for access. Virtual security controls can help prevent unauthorized changes and tampering to hypervisors.

Protect Your Hypervisor(s)

Create a Virtual Security Policy

You should have a security policy for your physical environments, but make sure that you create policies, standards, guidelines and procedures for your virtual environments as well. They are many parallels, but some are widely different due to the physical limitations of the virtual world.

Create a Virtual Security Policy

Build Collaboration Between Departments, Engineering Teams

Virtualization may span the entire enterprise and so can an incident resulting in a breach. Make sure the lines of communication are open and free of conflict so you can build virtually, and respond to virtual threats so that they do not become exploits.

Build Collaboration Between Departments, Engineering Teams

Create Virtual End-Point Security

The need for traditional firewalls and intrusion prevention and detection systems doesn't go away as you virtualize and move to cloud architectures. Deploy proven virtual firewalls and IPS's at critical architectural points. Also, don't forget to monitor and log with an enterprise integrated security information and event management system.

Create Virtual End-Point Security

Insist Upon Patch Management

Many of the same issues exist in the cloud. Make sure your virtual environment is patched according to the criticality of the systems and data. Test patches in a sandbox, not in production. Stage and phase as required based on change control/management processes.

Insist Upon Patch Management

Understand Administrative Privilege

Role based access controls still apply in the virtual world so continue to use the principal of least  privilege and audit administrative access and escalation of privilege regularly.

Understand Administrative Privilege

Deploy Virtual Forensics for In-Depth Defense

Problems can arise in every system, virtual or not. Remember to build in forensic logging and analysis into your virtual world. Add virtual device telemetry for even greater visibility. Be sure to maintain flow based telemetry for additional virtual visibility.

Deploy Virtual Forensics for In-Depth Defense

Invest in More Training

Training for virtual security is not always the same as for the physical world. Almost all of the traditional tools for deployment, management and forensics are different for the virtual world. Budget and plan for ongoing training for your team.

Invest in More Training

Guess what? Regulatory, Compliance Issues Are Still Here

Virtual environments are viewed with even greater skepticism than physical environments. Expect more in-depth examination of your adherence to rules and regulations. Maintaining strong access controls, zoning and configuration management is essential, especially in industries or localities that require high levels of regulatory compliance.

Guess what? Regulatory, Compliance Issues Are Still Here

Rocket Fuel