Today many Canadian companies are reducing the number of physical servers in their organization and replacing them with cheaper-to operate virtual machines (VM).
That’s fine as long as they realize there’s nothing “virtual” about the security challenges the new environment poses, industry experts say.
They note that if left unattended, virtual systems can trigger problems such as the spread of computer viruses, data theft, denial-of-service, or regulatory compliance conflict.
Securing virtual environments is quite often a backburner issue in many companies, suggests David DeWalt, chief executive officer and president of McAfee Inc.
He cited a 2007 survey of IT professionals in which only 12 per cent of those polled implemented strategies to protect their virtual machines.
“Now that the virtual environment is built, they suddenly realize it comes with security requirements that they had not thought of before,” DeWalt told journalists at an event organized by McAfee in Toronto, Thursday.
The company recently released Foundstone Professional Services, a combination of security consulting services, processes and technology that help secure virtualized environments.
The software component includes an application that can run on top of virtualization software tools from VMWare.
In recent years, many Canadian banks and financial services firms have rolled out virtualized desktops, servers and storage assets, notes a technology analyst.
“While security requirements for their traditional systems are already set, those for the new environment are still evolving,” said Michelle Warren, senior analyst for Info-Tech Research Group based in London, Ont.
These organizations are realizing that virtualization and security planning must always go hand in hand rather having security as an afterthought, Warren said.
Many organizations mistakenly think that securing virtual machines will be the same as securing traditional operating system, according to Neil MacDonald, vice-president at Stamford, Conn. analyst firm Gartner Inc., who covers the information security.
“Applying technologies and best practices for securing physical servers will not provide sufficient protection for virtual machines,” he said.
In the rush to adopt the new technology many security issues are overlooked.
Many virtualization products address some of the security gaps but it will take several years for the tools and vendors to develop adequate protection, MacDonald said.
Through 2009 more than 60 per cent of virtual machines will be less secure than their physical counterparts, Gartner predicts.
The new virtualized environment has sparked certain challenges, noted Ross Allen, regional director in Canada for McAfee.
“While before you might have had 10 people looking after 100 servers, virtualization can change the equation to 10 people looking after 50 physical servers and thousands of virtual machines images.”
He said deploying a virtual environment also removes the link between hardware and software, which can create confusion when it comes to securing the infrastructure.
This process can blind security administrators to what is going on behind their network security appliances, Allen said.
For example, so-called intra-host threats or attacks using virtual networks and other unseen resources outside the host as entry points can go unmonitored.
This security hole can be used to spread viruses or to steal data.
Here are a few points to consider when planning a virtualization roll out:
Enhance data protection
Just as with physical systems, users should carefully consider what data will be stored in their virtual systems. A breach may expose organizations to disclosure threats.
Virtual disks are typically stored on the host in an unprotected format. Consider encryption of data to protect information in case of a breach.
Protect management controls
Many virtual machines management Web consoles come with self-signed secure socket layer (SSL) certificates used to authenticate Internet-based communication. This certificate is prone to spoofing. Replace SSL certificates with certificate issued by trusted third parties to prevent man-in-the-middle attacks.
Understand the risk of exposing management interfaces to the Internet or an increased number of users. Some organizations will have to deal with a dramatic increase of traffic that needs to be intercepted and monitored.
Plan for new access policies
Consider what access users have with respect to the host. To manage provisioning and authorization it might be necessary to create new roles such as VM administrators, VM authors and VM users.
Hardware and firmware issues
Hardware and firmware changes on a physical machine could affect confidentiality, integrity and availability of the VMs running on that physical machine.
Tried and tested patch management techniques for traditional systems may need to be augmented for virtual infrastructures.
Organizations need to set up a system for tracking applications running on VMs and physical machines to ensure patches are up to date.
Practice asset and inventory management of licenses on physical machines and VMs to control cost.
Avoid VM sprawl
Because it’s so easy to create and deploy VMs, many organizations simply replace their physical server sprawl with VM sprawl.
For example, a company that had 500 physical servers with one image each might suddenly have half the physical machines but double the VM images to manage.
The best way to avoid VM sprawl is to plan virtual machine life cycles and taking care to recover or retire virtual instances that are no longer in use.
