RSA Report Details Potential Virtualization Risks
September 2, 2009
RSA Tuesday warned that organizations face complex security and compliance risks when they adopt virtualization, but added that those companies that succeed in managing the challenge will achieve a "security bonus."
The news adds to the warnings concerning security in modern businesses. Earlier this year, RSA, the security division of EMC, issued a report on hyper-extended enterprises, warning that the traditional walls of the business were being breached by complex supply chains, new mobile devices, and other factors.
Today's warnings are also about change.
"Because virtualization represents a paradigm shift in computing, organizations needs to invest time and effort in learning how to get it right. This means ensuring that the implementation aligns with internal compliance programs and enables organizations to meet government, industry and contractual obligations," said RSA's report, "Security Compliance in a Virtual World: Best Practices to Build a Solid Foundation."
The report provided specific recommendations for enterprise IT managers eager to improve security and visibility in their virtualization deployments. For example, the report recommended that IT managers insure their virtualization applications and platforms are hardened against attacks by, among other things, removing unneeded components from virtual machines. "Hardening checklists for virtualization platforms are available from several sources," the report said.
The report said that organizations must be able to track changes and have a change management framework. Technology, such as Security Information and Event Management (SIEM) systems, play a key role in tracking people and helping people decipher logs.
But technology is not enough, Bret Hartman, CTO of RSA, said in an e-mail to InternetNews.com. "Organizations cannot stop at technology when it comes to change management; processes and polices must be a central part of the equation. Processes that drive approvals and verification for change management are crucial regardless of whether the infrastructure is physical or virtual," he said.
"With virtual infrastructures, the need to follow proper operational workflow (including a change management board) is even greater because of the speed and ease with which changes can be made to virtual infrastructures. So, we strongly recommend that customers build a comprehensive change management program that's centered upon policy, processes, and enabling technology," Hartman added.
Virtual environments change fast because individual applications and VMs can move from server to server as the system re-allocates resources automatically. IT managers should manage this process but not interfere with it, according to Hartman.
"Organizations should not actively seek to 'limit' VM mobility but rather 'manage' VM mobility by ensuring that the association between VMs and the physical hosts and networks on which the VMs run is carefully planned," Hartman said.
"Organizations should segment virtual networks into zones/areas with different levels of trust just as they would with a physical network," he added.
While many changes are automatic, IT managers need to keep track of the changes made by people, the report said. Doing so requires careful and accurate administrative access control.
Hartman said that access control issues will be familiar to anyone already responsible for data center security. "This is an extension of the traditional issue in the datacenter in which you typically have a system administrator with root access to some hosts on which he/she performs operational and maintenance tasks," he said.
He added that some virtualization platforms can make it easier to track activity. "Organizations should take advantage of the centralized administration capability instead of local administration of individual hypervisors (except where it is unavoidable) provided by virtualization products because such a central capability is easier to control versus hundreds or thousands of individual administration points at each hypervisor," Hartman added."
Virtualization's security bonus
That centralized management delivers virtualization's security bonus, according to the report.
"Because the cost savings are so compelling, this has been the main focus for moving to virtualization. However, there are significant security benefits that virtualization brings and as the technology evolves, virtualization will enable 'better than physical' security," the report said.
The report added that virtualization allows IT managers to collect more data about activity, make changes faster, and implement security policies and updates with greater precision.
"This speed is much harder to achieve with physical systems," Hartman said.
Article courtesy of InternetNews.com