|
 |
|
General Information
|
Add To My Personal Library |
May 22, 2009
• Vol.31 Issue 15
Page(s) 28 in print issue
|
Virtual Security Is No Walk In The Park
Virtual Server Sprawl Makes It Challenging To Secure All Devices
|
Just when IT thought it might be getting a handle on security, along came rampant virtualization. Because it’s so easy to deploy virtual servers, many companies are losing track of what’s running where. This potentially opens the door to intruders, as so many resources are shared and so many hidden interdependencies exist.
“It’s no longer just a server, storage, networking, application, or facilities issue; security is an issue that cuts across all of the technology domains, and thus a cross-technology security solution is needed,” says Greg Schulz, an analyst with StorageIO Group (www.storageio.com).
 Lock Down Virtual Server Interfaces
Intruders who are able to physically put their hands on a system can always compromise it—gaining access to the data center and physically removing hard drives or installing spyware, for example. Now take any virtual platform: Its management interface is, inherently, a network-accessible service that provides hardware-level access to virtual systems. In a virtual environment, then, if intruders gain access to the management layer, they gain entry into the physical system. They can then extract data from the hard drive at their leisure.
“It is crucial to place the virtualization systems’ management interface in a protected environment and to manage it with the same security standards and level of care that the customer places on physical access to mission-critical systems,” says Sadik Al-Abdulla, security solutions manager for CDW (www.cdw.com).
The good news is that it is entirely possible to design a virtual environment with security equal to that of a physical environment. But it must be identified as a priority design criteria and given the consideration it deserves.
The Threat From Within
Virtualization is all about sharing resources such as processors, memory, and network cards. The isolation between two virtual environments sharing the same physical resources, then, is only as strong as the virtualization platform.
“It is theoretically possible for a guest operating system to exploit the host operating system and gain access to, for example, adjacent memory spaces,” says Al-Abdulla. “In reality, virtualization platforms have been designed from the ground up to ensure isolation. That’s not to say that vulnerability won’t be found, and certainly not to say that it wouldn’t be patched as soon as it was, but it would be such a carrot that there are many people researching this.”
That opens the door to an attack through a virtual machine. Understanding the risk will ensure that processes are put in place to detect and address such threats.
“Someday, someone will find a really interesting vulnerability in one of the virtualization platforms,” says Al-Abdulla. “I consider this inevitable, so understand the risk and have the right procedures in place for this eventuality.”
Adapt Change Management To Virtual Systems
Many companies utilize some kind of system to keep track of changes within the physical environment. Otherwise, an adjustment in one system can wreak inadvertent havoc in another.
The same applies to virtual platforms. As virtual servers are quicker to deploy, they are often managed outside of processes and policies governing physical servers. To ensure consistency and maximize uptime and availability, change management processes must account for the unique aspects of managing virtual servers.
“Change control processes must be adapted to account for virtual servers,” says Bruce McCorkendale, distinguished engineer at Symantec (www.symantec.com).
In the absence of an all-encompassing approach to change management, inefficiencies creep into virtual environments. In response, the different areas of IT adopt different toolsets to solve ongoing issues.
“Training requirements for multiple toolsets make it harder to ensure consistent configuration methodologies, opening the door for vulnerabilities,” McCorkendale says. “So-called virtual sprawl is a symptom of lack of control and lack of management capabilities.”
He suggests the need for client and server management solutions that provide the functionality to specify policy and requirements and then discover, measure, and remediate for compliance with policy for all machines. According to analyst firm Gartner, 65% of all system vulnerabilities can be addressed through proper system configuration; 30% through patch management; and the remaining 5% through defense against hackers, thieves, and spies.
“Bringing these three key areas together onto a single management platform can dramatically reduce risk exposure in order to better manage, secure, and recover end points,” McCorkendale says.
Virtual Networks A Threat
In a highly virtualized environment, SMEs may end up with a multitude of virtual servers on a virtual switch that all share a single physical switch port. Many network security functions such as intrusion detection/prevention are implemented “at the wire,” yet according to Al-Abdulla, some virtual guests may require a dedicated network interface card, and the occasional virtual switch may need to be cut in two for security reasons rather than logic or capacity.
“This is easy to do if it is given the appropriate consideration,” he says. “The reality is that systems and server engineers should be consulting the network and security engineers during the design and planning process to ensure that the right virtual-physical transitions are made to allow for network security functions to occur. Putting more network interface cards into your virtual farm than you’d think at first glance can reduce intrusion threats.” 
by Drew Robb
BONUS TIPS
Begin security design by ignoring virtualization. If a logical system—physical or virtual—belongs on a certain network segment, behind certain protections, then that is where it needs to be. Start from the standpoint of a secured physical infrastructure, and then back into the virtualization design based on the logical security requirements, says Sadik Al-Abdulla, security solutions manager for CDW (www.cdw.com).
Secure end points in virtual environments. So much attention goes to virtual servers that some SMEs may forget to pay much attention to end points. Bruce McCorkendale, distinguished engineer at Symantec (www.symantec.com), recommends the adoption of an endpoint security solution equipped to secure virtual, as well as physical, platforms. |
Best Tip: Let Common-Sense Security Prevail
Use common sense when it comes to virtual security. If something can happen, it probably will, so it’s just a matter of time. Virtualization and clouds, after all, do not eliminate threat risks. While they might mask or move the issue, there is increased exposure.
“Use common sense, be alert, have a comprehensive threat risk assessment, and perform leak detection proactively, rather than waiting for an after-the-fact forensic exercise,” says Greg Schulz, an analyst with StorageIO Group (www.storageio.com). |
Smart Tip: Don’t Be Scared Of The Virtual World
Despite all these cautions, don’t be scared when it comes to using virtualization. It’s a powerful technology that can reduce costs and increase workloads. But like all new breakthroughs, people will always be looking for a backup.
“Virtualization is game-changing technology that has helped us do our jobs more effectively and more cost efficiently,” says Sadik Al-Abdulla, security solutions manager for CDW (www.cdw.com). “Take my doom and gloom in context—as design best practices, not as a cautionary statement.” |
|
|
