The adoption rate of virtual machines has exploded at
most organisations, creating a boom in logical servers and devices
connected to the network, with many organisations not accounting
for the fact that each needs to be individually configured,
patched, and secured, writes Chris Schwartzbauer,
vice-president atShavlik
Technologies.
Virtual machines, just like their physical counterparts have
network access and can be scanned, hacked, infected, and
compromised just like a dedicated physical device. And they are
more dynamic, coming and going at the whim of the growing number of
tech-savvy users. But managed properly they can actually improve
security posture.
Organisations are admitting they do not have management
strategies in place to track, let alone control them individually.
Further, the trend, which started within the data centre is now
moving beyond it. The endpoint, everything from servers in smaller
regional offices to desktops and laptops, is a growing target for
the cost savings that virtualisation has to promise. This is
causing whatever management practices that were in place to be
decentralised, allowing various users to create and remove them
before any reasonable governance measures can be put in place.
Given this, Industry analysts, Gartner estimates that 60% of
production virtual machines will be less secure than their physical
counterparts. Without due consideration of the management issues,
administrators are at risk of undoing 15 years of investment their
organisations have made to build strong defences for their physical
systems.
Prior to virtualisation, the addition of new servers and
applications was naturally throttled due to budget, hardware
acquisition, rack space, and other time consuming activities,
creating a natural process for IT operations and security teams to
be notified when new servers were being added. New virtual servers
can appear significantly faster and easier, without authorisation
at all.
Virtualisation forces organisations to think differently and
change processes. Security and IT administrators need to
aggressively and continuously monitor for new devices, servers, and
services. They will also be required to automate the processes
behind vulnerability management, including patch and configuration
management.
While many have adopted various tools to do this, the result has
been semi-automatic with manual intervention required to deploy,
verify and report on much of the activity. The volumes of virtual
machines will require a more continuous response that is linked at
every stage from the detection, to the remediation and reporting of
action taken for patches, configuration errors and other
vulnerabilities. Further, when it comes time to apply security
updates to virtual machines, administrators must be in a position
to treat them just like dedicated physical devices.
Offline opportunity
This is a particular challenge for the dormant offline machines
where the technology is only just being developed to tackle the
challenge-but here too potential for improvements to security
posture can lie. Many enterprises intentionally have a significant
number of virtual machines offline to address requirements such as
business continuity, or to conserve energy consumption (Green IT),
bringing them online as operational requirements dictate.
It is often a time consuming and difficult operational task to
bring these offline machines online just to configure them to be
safe against potential threats. If virtual machines can be managed
and secured in their off line state, their window of vulnerability
to a particular threat is significantly reduced.
Thus organisations can achieve the goals that virtualisation
asserts to support while maintaining their security posture.
Further, security is boosted by the ability to use virtual machines
that have been patched offline for critical system back up when a
patch requires a system reboot. Common strategy is to nervously
wait for a time when critical systems can be taken down.
While it is true that implementing virtualisation without proper
security increases an organisation's vulnerabilities, it's also
true that when properly safeguarded through a planned, continuous
and ongoing process, supported by automated discovery of new
virtual machines, even before they come online, an organisation can
actually experience an improved level of security.
Shavlik Technologies is exhibiting atInfosecurity Europe
2009on 28-30 April 2009 at Earls Court,
London.
Read more articles from Infosec 2009 >>