Driven by the potential cost reductions gained through server consolidation, the virtualization movement has delivered multiple benefits and proven deployments over the past few years. Yet, without proper security planning, virtualization could come at a cost that greatly outweighs the potential savings. As a result, access control-a fundamental component of any security design-has become a top-of-the-line issue for managing virtual infrastructures, especially with privileged accounts that hold business-critical information.
In the past, an organization may have had 500 servers managed by several administrators. Today, that organization may have only half the physical servers, yet thousands of virtual machines with multiple operating systems. Many companies do not initially consider the increased management effort required to maintain these VMs, let alone the new security challenges. Since the VMs of today can operate over multiple systems, platforms and protocols, the security complexities facing virtualized infrastructures can be easily overlooked-and potentially catastrophic.
To protect organizations from access management issues with a virtualized infrastructure, there are six things in particular to consider such as: identifying the accounts, automating system access, allocating shared resources, ensuring on-demand and run-time access, delivering service for privileged access management, and testing for business continuity. Let's examine each of these in detail:
1. Identifying the accounts
To protect business-critical information in virtualized environments, one first needs to understand the two types of privileged accounts. The first type of privileged account is an administrator account; this is used by human administrators to gain access to devices, operating systems and applications for the purposes of maintaining those systems. The second type of privileged account is an embedded account; this is used by programs to connect to devices, operating systems and other programs as required. Understanding these two types of accounts is essential, especially in light of the highly publicized incidents involving "trusted insiders" at very large organizations and public departments-those with the time, knowledge and means to access business-critical information from the organization.