Traditional Security Controls Still Apply

It may seem obvious, but many administrators forget to enforce basic security procedures and processes as they transition to a virtual setting. Antivirus, antispyware, firewall and intrusion prevention must be available on the server and host virtual platforms. Be careful, however, as these important security updates may create a storm-like environment that causes an unintentional denial of service.

At the top layer of your virtual environment is the greatest opportunity for access. Virtual security controls can help prevent unauthorized changes and tampering to hypervisors.

You should have a security policy for your physical environments, but make sure that you create policies, standards, guidelines and procedures for your virtual environments as well. They are many parallels, but some are widely different due to the physical limitations of the virtual world.

Virtualization may span the entire enterprise and so can an incident resulting in a breach. Make sure the lines of communication are open and free of conflict so you can build virtually, and respond to virtual threats so that they do not become exploits.

The need for traditional firewalls and intrusion prevention and detection systems doesn’t go away as you virtualize and move to cloud architectures. Deploy proven virtual firewalls and IPS’s at critical architectural points. Also, don’t forget to monitor and log with an enterprise integrated security information and event management system.

Many of the same issues exist in the cloud. Make sure your virtual environment is patched according to the criticality of the systems and data. Test patches in a sandbox, not in production. Stage and phase as required based on change control/management processes.

Role based access controls still apply in the virtual world so continue to use the principal of least privilege and audit administrative access and escalation of privilege regularly.

Problems can arise in every system, virtual or not. Remember to build in forensic logging and analysis into your virtual world. Add virtual device telemetry for even greater visibility. Be sure to maintain flow based telemetry for additional virtual visibility.

Training for virtual security is not always the same as for the physical world. Almost all of the traditional tools for deployment, management and forensics are different for the virtual world. Budget and plan for ongoing training for your team.

Virtual environments are viewed with even greater skepticism than physical environments. Expect more in-depth examination of your adherence to rules and regulations. Maintaining strong access controls, zoning and configuration management is essential, especially in industries or localities that require high levels of regulatory compliance.