Security Think Tank: Virtualisation raises three main security issues

How should information security professionals get started with securing virtual environments?

The security of virtual infrastructure remains a top concern for enterprises. 

As organisations seek the economic benefits of virtualising x86 environments, servers are no longer individual pieces of equipment hardwired into carefully controlled physical networks. Instead, they are complex software instances running on top of virtual networks and connecting to increasingly virtualised storage layers. Thus, protection must adapt.

Whether working with Citrix, Microsoft or VMware virtualisation, security teams have to start by considering important issues regarding zoning, privileged administrators, and configuration and patch management:

  • Zoning: By providing virtual switches that allow communication between guests on a physical host, virtualisation hides a considerable amount of traffic from traditional physical network protection – this includes intrusion detection and intrusion prevention systems (IDSs/IPSs). Zoning and network visibility not only help with defence in depth, but also answer compliance obligations and limit infrastructure scope for audits. Gartner clients take three approaches: routing virtual traffic to physical choke points (routers/firewalls); increasing protection in guests via system firewalls; and using hypervisor-integrated protection such as virtual firewalls.
  • Privileged administrators: Virtualisation creates administrators whose power is greater than that of Windows Administrator or *NIX Root. Most organisations tackle this issue by increasing monitoring and enhancing procedural controls, but several third-party products are emerging to enforce segregation of duties among compute, network, storage and security roles in virtual environments.
  • Configuration and patch management: Virtualisation creates a new layer of software that must be managed in accordance with change control procedures, patched periodically and protected from attack. Most organisations first turn to tools provided by Citrix, Microsoft and VMware for control, but management and orchestration solutions from other supplers can provide enhanced functionality.

Organisations starting down the virtualisation path also have a new trend to consider: internal private clouds. Many enterprises seek the benefits of public cloud computing – such as scalability, on-demand service and rapid provisioning – without the security and compliance fears that come with the use of an external suppler. However, creating a more “cloudy” internal virtual infrastructure has its own potential problems:

  • Server sprawl: If users are allowed to create new systems through a self-service provisioning portal, how do you ensure they don’t sprawl?
  • Multi-tenancy: As different business units create their own systems, can you be sure that “tenants” are properly separated and controlled?
  • Governance models: Who is ultimately responsible for the virtual infrastructure – central IT or the departments that request virtual resources?

Virtualisation and internal clouds are exciting developments, but prudent security shops clearly have several issues to tackle in the years to come.

Trent Henry is a Gartner research vice-president covering security and risk management strategies.  

Read more on Privacy and data protection