The adoption rate of virtual machines has exploded at most organisations, creating a boom in logical servers and devices connected to the network, with many organisations not accounting for the fact that each needs to be individually configured, patched, and secured, writes Chris Schwartzbauer, vice-president at Shavlik Technologies.
Virtual machines, just like their physical counterparts have network access and can be scanned, hacked, infected, and compromised just like a dedicated physical device. And they are more dynamic, coming and going at the whim of the growing number of tech-savvy users. But managed properly they can actually improve security posture.
Organisations are admitting they do not have management strategies in place to track, let alone control them individually. Further, the trend, which started within the data centre is now moving beyond it. The endpoint, everything from servers in smaller regional offices to desktops and laptops, is a growing target for the cost savings that virtualisation has to promise. This is causing whatever management practices that were in place to be decentralised, allowing various users to create and remove them before any reasonable governance measures can be put in place.
Given this, Industry analysts, Gartner estimates that 60% of production virtual machines will be less secure than their physical counterparts. Without due consideration of the management issues, administrators are at risk of undoing 15 years of investment their organisations have made to build strong defences for their physical systems.
Prior to virtualisation, the addition of new servers and applications was naturally throttled due to budget, hardware acquisition, rack space, and other time consuming activities, creating a natural process for IT operations and security teams to be notified when new servers were being added. New virtual servers can appear significantly faster and easier, without authorisation at all.
Virtualisation forces organisations to think differently and change processes. Security and IT administrators need to aggressively and continuously monitor for new devices, servers, and services. They will also be required to automate the processes behind vulnerability management, including patch and configuration management.
While many have adopted various tools to do this, the result has been semi-automatic with manual intervention required to deploy, verify and report on much of the activity. The volumes of virtual machines will require a more continuous response that is linked at every stage from the detection, to the remediation and reporting of action taken for patches, configuration errors and other vulnerabilities. Further, when it comes time to apply security updates to virtual machines, administrators must be in a position to treat them just like dedicated physical devices.
This is a particular challenge for the dormant offline machines where the technology is only just being developed to tackle the challenge-but here too potential for improvements to security posture can lie. Many enterprises intentionally have a significant number of virtual machines offline to address requirements such as business continuity, or to conserve energy consumption (Green IT), bringing them online as operational requirements dictate.
It is often a time consuming and difficult operational task to bring these offline machines online just to configure them to be safe against potential threats. If virtual machines can be managed and secured in their off line state, their window of vulnerability to a particular threat is significantly reduced.
Thus organisations can achieve the goals that virtualisation asserts to support while maintaining their security posture. Further, security is boosted by the ability to use virtual machines that have been patched offline for critical system back up when a patch requires a system reboot. Common strategy is to nervously wait for a time when critical systems can be taken down.
While it is true that implementing virtualisation without proper security increases an organisation's vulnerabilities, it's also true that when properly safeguarded through a planned, continuous and ongoing process, supported by automated discovery of new virtual machines, even before they come online, an organisation can actually experience an improved level of security.
Shavlik Technologies is exhibiting at Infosecurity Europe 2009 on 28-30 April 2009 at Earls Court, London.