Cost pressures and the rise of cloud computing have led many businesses to turn to lower-cost virtual environments on premise and in the cloud, but a lack of expertise and experience may be exposing these organisations to unnecessary security risk.
Researchers and other members of the security industry believe that in addition to a general lack of understanding about how virtual environments work, the fact that the business is so focused on performance and cost, often means security is either overlooked or tagged on only at the end.
According to Forrester security and risk analyst Andrew Rose, many IT professionals think a virtual server is just the same as a physical one, even though the risks are different.
As organisations seek the economic benefits of virtualising their IT environments, servers are no longer individual pieces of equipment that are hard-wired into carefully controlled physical networks. Instead, they are complex software instances running on top of virtual networks and connecting to increasingly virtualised storage layers, which means data protection must change accordingly.
ISF recommends special attention is paid to:
- Segregation of virtual servers according to the confidentiality requirements of information they process.
- Separation of virtual servers to prevent information being transferred between discrete environments.
- Restricting access to a limited number of authorised individuals (eg hypervisor administrators) who are capable of creating virtual servers and making changes to them correctly and securely.
- Encrypting communications between virtual servers (eg using Secure Sockets Layer (SSL ) or IPSec).
- Segregating the roles of hypervisor administrators (for multiple virtual servers).
So what should information security professionals be doing to ensure that their organisations’ virtual environments are secure as well as cost efficient? The Information Security Forum (ISF) has worked with its members to identify key responses that have been included in a standard of good practice for securing virtual environments.
The ISF believes these key responses should include:
- Establishing a policy for the use of virtual servers;
- Limiting the number of virtual servers that can run on a single physical server;
- Controlling the number of critical business applications that can be run on a single server.
Virtual servers should be protected by applying standard security management practices to hypervisors, which are the key point of protection, says Adrian Davis, principal research analyst at the ISF.
These practices include: applying a strict change management; monitoring, reporting and reviewing super-user activities; restricting access to the virtual server management console; and monitoring network traffic between different virtual servers and between virtual servers and physical servers to detect malicious or unexpected behaviour.
“Each virtual server should be protected by applying similar security management practices to those applied to physical servers, including restricting physical access, system hardening, applying change management and malware protection, monitoring and performing regular reviews, and applying network-based security controls such as firewalls, intrusion detection and data leakage protection,” says Davis. He also believes that security professionals should not consider only virtualised environments in their own organisation, but should also focus on virtualised environments in their suppliers, and demand that those suppliers adhere to the same good practices.
Lee Newcombe, managing consultant at Capgemini, supports the view that security professionals must consider new strategies and technologies to apply the most appropriate security controls in such virtualised environments. “We should not simply be replicating the familiar deployment models from the physical world in the virtual world,” he says.
Traditional n-tier architecture, which separates out the presentation, application and data tiers via physical firewalls is not as effective in the virtual world, he says, where there may be two or more of these tiers hosted on the same physical hardware.
Tips for virtual security design:
- Consider compliance requirements. Are there any requirements that enforce a degree of physical separation? Such requirements may necessitate multiple virtualised environments with physical firewall (or air-gapped) separation.
- Identify the resources that the service requires in order to function. Think in terms of network access, compute resource and storage rather than servers and network segments.
- Identify the different types of users that require access to the service, eg external users, internal users or trusted partners.
- Group the identified resources into zones (security domains) based on the characteristics of the data, user communities and access requirements.
- Conduct a risk assessment. Identify the risks that need to be managed per zone
- Base the security controls around these zones; controlling and monitoring the activities within each zone and, more importantly, controlling and monitoring the interactions across each zone.
In designing security for virtualised environments, Newcombe advises that information security professionals consider compliance requirements, identify resources required, identify types of users who will access data, conduct a risk assessment, group resources into zones or security domains, and base security controls around these zones. Gartner researcher Trent Henry says that by providing virtual switches that allow communication between guests on a physical host, virtualisation hides a considerable amount of traffic from traditional physical network protection, including intrusion detection and intrusion prevention systems.
“Zoning and network visibility not only help with defence in depth, but also answer compliance obligations and limit infrastructure scope for audits,” says Henry. Gartner clients take three approaches: routing virtual traffic to physical choke points (routers/firewalls); increasing protection in guests via system firewalls; and using hypervisor- integrated protection like virtual firewalls. While controlling and monitoring the activities within, and interactions between, security zones is important, this often raises concerns, says Capgemini’s Newcombe.
“In a virtualised server environment you are limited to the firewalling and monitoring tools that the virtualised management infrastructure can support unless you can afford the expense of physical firewalls and multiple virtualised server farms,” he says.
“Furthermore, the hypervisor itself represents a single point of separation failure that is not present in the physical world, albeit one that may have undergone formal security evaluation.” Newcombe believes security professionals need to be pragmatic, adapting to the capabilities of virtualised environments and making the best use of these new capabilities, rather than seeking to simply “lift and shift” designs from the physical world to the virtual world.
Security standards for virtualisation
But securing a virtual environment is not just about focusing on technology; you also need to look at standards, processes, controls, monitoring and logging, says Kevin Wharram of the London Chapter ISACA Security Advisory Group. In securing virtual environments, information professionals first have to identify what virtualisation technology their organisation has in-house. “It is then advisable to find various online resources for securing that technology, such as VMWare security advisories,” says Wharram.