The ISF – working with its members – has identified a number of key responses, which it has codified in its 2012 Standard of Good Practice.
These should include:
- Establishing a policy for the use of virtual servers;
- Limiting the number of virtual servers that can run on a single physical server;
- Controlling the number of critical business applications that can be run on a single physical server.
The hypervisor is the key point of protection for virtual servers, and special attention needs to be paid to the following:
- Segregation of virtual servers according to the confidentiality requirements of information they process;
- Separation of virtual servers to prevent information being transferred between discrete environments;
- Restricting access to a limited number of authorised individuals, such as hypervisor administrators, who are capable of creating virtual servers and making changes to them correctly and securely;
- Encrypting communications between virtual servers, by using secure socket layer (SSL) or IPSec, for example;
- Segregating the roles of hypervisor administrators, for multiple virtual servers.
Virtual servers should be protected by applying standard security management practices to hypervisors. These include:
- Applying a strict change management;
- Monitoring, reporting and reviewing super-user activities;
- Restricting access to the virtual server management console;
- Monitoring network traffic between different virtual servers and between virtual and physical servers to detect malicious or unexpected behaviour.
Each virtual server should be protected by applying similar security management practices to those applied to physical servers, including restricting physical access, system hardening, applying change management and malware protection, monitoring and performing regular reviews, and applying network-based security controls (eg firewalls, intrusion detection and data leakage protection).
Security professionals should not focus only on virtualised environments in their organisation. They should also focus on virtualised environments at their suppliers, and demand that those suppliers follow the same practices.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).