With the potential for compromises in one virtual system or hypervisor to lead to compromises in multiple applications in a virtualized environment, the risks are too great for organizations to make security an afterthought. With virtualization technologies becoming pervasive in the data center, here are five essential steps for addressing virtualization security challenges:
Step No. 1: Include security in total cost of ownership calculations
A top driver when considering virtualization is cost savings achieved through improving server utilization and server consolidation in the data center-savings based on hardware, data center footprint and provisioning cost reductions. Security needs to be factored into these calculations to provide a complete picture. For example, virtual appliances that provide monitoring, intrusion detection, patch validation and tracking, and other security services may need to be installed on each physical platform. This can reduce the number of virtual servers supported per physical host, impacting return on investment.
Step No. 2: Make security a priority in the virtualization design phase
Organizations need to monitor security metrics along with performance within the virtual world-requiring intelligent choices to be made in isolating applications and systems. For example, isolating credit card information to a single virtual environment can greatly reduce the PCI (Payment Card Industry) compliance footprint for e-commerce merchants.
However, placing the Internet-facing Web server that takes credit card information on the same physical host as the application server checking inventory and the database managing order tracking increases the risk of data compromise.
Step No. 3: Monitor the invisible network
While a physical server environment passes data traffic across a physical network that can be monitored, a virtual server connects to a virtual network-making it difficult to monitor and protect data in transit between virtual machines. This is driving proven solutions in the physical world, such as intrusion detection and sniffers, to be adapted for virtual environments. Other solutions on the horizon include increased monitoring at the hypervisor level, virtual patch management and tools to conduct security investigations on virtualized systems.
Step No. 4: Control portable storage
Controlling the use of personal data storage devices has never been more important than in a virtualized environment. Virtualization is an excellent technology to enhance recovery due to the portable nature and size of virtual server images. Organizations can copy their system images to a hard drive, bring them to a recovery site, connect them to the replicated data and be hours ahead on their recovery timeline.
However, USB flash drives, secure digital cards and iPods can provide gigabytes of portable storage to any user-suitable to copy a few server images and walk out the door. Having a management solution for these devices is necessary to protect sensitive, personally identifiable and proprietary business information typically present in a server image.
Step No. 5: Stay current on virtualization security research
At the 2008 DEFCON hacker conference, a leading security researcher demonstrated multiple ways to compromise hypervisors, which in turn compromise the virtual hosts, exposing corporate assets such as credit card information, salaries and benefits, and proprietary business strategies and research. Keep in mind that these potential attacks are only the tip of the iceberg. Organizations need to stay current to deploy appropriate countermeasures and, in some cases, other controls to address a problem for which there is no current solution.
These steps reflect the strategic belief that information security must be integral to the assessment, design and implementation phases of virtualized environments to protect data assets and meet compliance requirements. With many organizations focusing on virtualization benefits, they must also examine core risks before it is too late-meaning security needs to be built in from the start.
Richard's experience ranges from mentoring chief security officers in implementing security programs to conducting enterprise security assessments of global organizations, regulatory reviews (HIPAA, GLBA, SOX), vulnerability assessments and penetration testing. He can be reached at [email protected].