Security Think Tank: Virtual security more than just technology

How should information security professionals get started with securing virtual environments?

Virtualisation is not new – the technology was first developed in the 1960s when it was known as time-sharing – but it has become more mainstream in the past decade or so. 

Virtualisation is the process of taking something that is physical – server, operating system (OS) or network – and converting it into a file.

Securing a virtual environment is not just about focusing on technology – you also need to look at standards, processes, controls, monitoring and logging. 

Below are various steps that information security professionals can use to get started in securing their virtual environments.

1. Identify what virtualisation technology you have in-house

There are various supplier solutions – VMware, Citrix, Microsoft, etc. Once you have ascertained what technology you have in-house, it is then advisable to find various online resources for securing that technology. 

VMware has various online resources for securing its virtual technology, including security advisories which notify you of vulnerabilities within VMware and its related technologies. 

Other guidelines are available from Microsoft, Citrix, the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and the Defense Information Security Agency (DISA) in the form of security technical implementation guides (STIGs).

2. Develop security standards and guidelines for securing your virtual environments


3. Develop processes and controls around configuration and access

The biggest threat to any virtual environment is misconfiguration and lack of processes. To prevent any security issues, the virtual infrastructure requires even more rigorous controls and configuration management practices. 

An example of lack of controls in a virtual environment is VM sprawl, the uncontrolled propagation of virtual machines, which is often forgotten by IT administrators. This can quickly fill up data stores, causing a denial-of-service (DOS) attack.

4. Make sure you log and monitor your virtual environments

This will enable you to detect any access control issues with users, and give you the ability to monitor for any other potential issues that could cause a security breach.

Virtualisation does offer more security, if done properly. Hopefully the above steps will help you in making your virtual environments more secure.

Kevin Wharram is a member of London Chapter ISACA Security Advisory Group.

Read more on Privacy and data protection