Virtualization solves many problems at the server and application layer but it does open up holes in the network that must be secured.
While virtualized environments
can be cheaper, have a lower carbon footprint and quick to set up
"virtual" doesn’t have hard edges and that makes it tough to secure.
“From our many
conversations with CISOs from Fortune 50 organizations in the past few months,
we have noticed the increased need for tools to secure virtualized
environments,” said Leo Navarro, practice manager and business leader for Softtek, one of Latin America's leading IT service
providers and the founder of the global near-shore industry. “There are many
organizations that have deployed solutions to virtualize servers and desktops.
However, upon doing so they've had to re-think their overall security strategy
for virtualized environments.”
Navarro predicts that 2012 will
see many companies investing in enterprise antivirus suites that ease the
updating process, data loss prevention (DLP) tools to monitor data flowing,
two-factor authentication mechanisms to protect the access to virtual servers
and desktops, and speed up the account's provisioning processes and data
encryption tools.
“Many analysts say that security is the number one barrier to
cloud adoption, which undermines the benefits of the cloud,” said Rod Sapp,
vice president, TCIS Products and Technology at global IT firm Unisys. “In a shared infrastructure, multi-tier
environment, companies create a private cloud in the corner so that they don’t
face the risk. The problem with backing cloud computing projects into a corner
of the data center is that you compromise the value proposition of the cloud:
improved infrastructure utilization and cost efficiencies.”
Assessing what needs to be done
“Security in virtualized environments can be split into two
categories: security of the guest OS, which requires the same approach as that
for a non-virtual environment, and security of the virtual environment
infrastructure,” said Emmanuel Carabott, security research manager at GFI Software. “Virtualization solutions include several
management tools to manage hosts and guests, and for each of these management
tools there are specific security considerations.”
Companies
must first establish what level of risk they are facing.
“The
major security concerns from a virtualization perspective are individuals
gaining unauthorized access to the virtual environment management tools,
hijacking of virtual machines and/or routing to and from the virtual machine
and breakdown of the change management system in use in the organization,”
added Carabott. “Each of these security issues requires a specialized
solution ranging from firewalls to security scanners.”
The
introduction of cost-cutting measures and the aim of introducing more flexible working
policies have added to the need to secure virtualized environments. “More
companies will probably consider ‘bring your own device’ initiatives, so their
employees can select the device they want to work on,” Navarro said. “These
initiatives require companies to support operations by securing their own
virtual environments and then by extending their core applications to mobile
devices.”
The virtual challenge
Whether
or not your company allows employees to connect their own devices to the
network, network professionals need to be alert to the challenges of securing a
virtual environment. “Conceptually, security is no more challenging on
virtualized environments than it is on physical environments,” said Carabott.
“In practice, however, this is not always the case because virtualized
environments are easy to set up and it is not unheard of that an employee sets
up a virtualized environment on their own machine instead of asking for
additional physical machines or going through the proper channels.”
This
gives network administrators a headache. If the virtual environments are not
controlled centrally then there is no guarantee that even the most basic
security measures are in place.
“The
problem gets worse if that employee is not security-conscious and believes that
even if the virtual machine is compromised or breaks down, it's simply a case
of restoring a clean copy,” adds Carabott. “Unfortunately, this line of
reasoning is flawed because the employee does not realize that if the VM is
compromised it can act as a beachhead for a deeper attack on the organization's
infrastructure.”
Security in practice
Securing
virtualized environments is possible, despite the challenges.
“At Unisys, we’re using the Unisys Stealth Solution for encrypting and bit-splitting
messages from the endpoint to the data centre instead in a secure multi-tenant
environment,” said Sapp. “This removes the prospect of others gaining access to
your infrastructure and data.”
The
company is just starting to work with the commercial sector after proving the
technology in the federal space and Sapp feels there is even more companies can
do to make virtualization secure and user-friendly. “We’re integrating a high
level of security with the provisioning and automization tools we have for
virtual environments and the cloud."
However
difficult it might seem to secure a virtual environment, the very worst thing
to do is nothing at all. Every environment needs security, whether it’s
virtualized or not. It’s just a case of finding the right level of security for
your network risk, and the right tools.
No comments:
Post a Comment