Managing Security in the Age of Virtualization


Published on

It’s no secret that IT as a whole is getting more difficult to manage following the rise of virtualization, so it should come as no surprise that securing virtual environments also will require additional effort.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Security in the Age of Virtualization

  1. 1. Security In Depth By Mike Vizard January 25, 2012 Tech Security TodayManaging Security in the Age of VirtualizationIt’s no secret that IT as a whole is getting more difficult to manage following the rise ofvirtualization, so it should come as no surprise that securing virtual environments also willrequire additional effort.Virtual machines are difficult to secure because they increase the attack surface. With eachphysical server running 10 or more virtual machines, the number of applications that needsecuring has increased. But beyond that there is the nature of virtual machines themselves --as they strive to bring application workloads closer to the end user, virtual machines willmove from one server to another, or entire application workloads and their associated datamay wind up moving from one virtual server to another.This means virtual environments not only are becoming more complex to manage, they arealso more difficult to secure.Virtualization Security IssuesVirtual machines rely on hypervisor technology, whichgenerally is secure, but the software that runs on top ofhypervisors is still subject to the same security issues thatafflict physical server environments. Those issues includeAntivirus Storms, Dormant Virtual Machines and Inter-VMAttacks.
  2. 2. ANTIVIRUS STORMS: Traditional antivirus securitywas not designed for a virtual environment. Whentraditional security is applied to virtual machines,it does not know it is in a shared resourceenvironment and antivirus scans or scheduledupdates are initiated automatically andsimultaneously across multiple virtual machines.This can easily create an “antivirus storm” that willresult in debilitating performance degradation onthe underlying host machine. DORMANT VIRTUAL MACHINES: Unlike a physical machine, even when a virtual machine is offline it is still available to any application that can access the virtual machine storage over the network. Therefore, the virtual machine is susceptible to malware infection because dormant or offline virtual machines do not have the ability to run an anti-malware scan agent. Also, when a dormant virtual machine is reactivated, the security software applied to the virtual machine more than likely will be out of date.INTER-VM ATTACKS: When a threat penetrates avirtual machine, the threat can spread to othervirtual machines on the same host. Traditionalsecurity such as hardware-based firewalls mightprotect the host but not the guest virtualmachines, easily creating a security blind spot.Protection must be applied on an individualvirtual machine level -- not host level -- toensure security. 2
  3. 3. Managing Virtualization SecurityVirtual machines make the entire IT environment The Trend Micro Virtualization Securitydynamic. They can quickly revert to previous Lineupinstances, be paused and restarted. They also can be Virtualization security requires a layeredreadily cloned and moved seamlessly between physical approach to security that gives ITservers. As a result, vulnerabilities and configuration organization the maximum amount oferrors can be easily and unknowingly propagated. And protection they need. The Trend Microit’s difficult to maintain an auditable record of the portfolio of virtualization security productssecurity state of a virtual machine at any given point include:in time. What all this means is that it’s difficult toachieve and maintain consistent virtualization Trend Micro Deep Security providessecurity. In fact, the whole notion of securing the advanced protection for systems in thenetwork perimeter is becoming obsolete. The reality is dynamic data center – from virtual desktopsthat as virtualization increasingly is extended from the to physical, virtual or cloud servers. Deep Security combines intrusion detection andserver out to the desktop and eventually mobile prevention, firewall, integrity monitoring,computing devices, these days the definition of the log inspection and anti-malware capabilitiesperimeter is each and every end point that needs to in a single, centrally managed enterprisebe secured. software solution. The solution can be deployed in both agentless (virtualTo achieve true virtual security each virtual machine appliance) and agent-based configurations.instance will require a virtual security appliance,which is a software image designed specifically to run Trend Micro SecureCloud is a hosted, key-on a virtual machine. This approach allows visibility to management and data-encryption solutioninter-VM traffic while providing other security benefits designed to protect and control confidential information deployed into public and privatespecific to virtualization, such as virtual patching and cloud-computing environments. It providesbetter anti-malware software performance. the freedom to move between cloud vendorsThe virtual appliance is deployed to protect each VM without being tied to any one provider’sbehind it, with each physical machine now essentially encryption system.operating almost like a network of virtual machines.One major benefit to this approach is that it allows Trend Micro OfficeScan delivers protectionorganizations in many cases to apply security rules on for virtual and physical desktops on and offa more granular level, because they can isolate the corporate network. It is the industry’sdifferent types of application workloads on different first virtual desktop infrastructure (VDI)-virtual machines. optimized endpoint security solution, accelerating protection, reducing resource use and applying virtual patching.Another benefit to this approach is it enables“agentless” protection for the entire virtual network Trend Micro Smart Protection Networksegment, which improves performance while providing infrastructure delivers advanced cloudsecurity in case the host security agent is not yet protection, blocking threats in real timedeployed or missing. The virtual security appliance before they reach users. It is powered by aalso can provide the network access control (NAC) global network of threat intelligencefunction -- it can inform or alert an administrator or sensors, e-mail, Web and file reputationprevent a virtual machine without the proper security technologies that work together tocontrols in place from being initiated or moved on to a dramatically reduce infections.particular server. Trend Micro Mobile Security protects smartphones and PDAs from data loss,Cloud Security infections and attacks, via a centralObviously, virtualization security has major enterprise console that can also manageimplications for cloud computing. The No. 1 factor desktop protection.slowing the adoption of cloud computing is concernsover security. But by combing agent and agentlessapproaches to virtualization security, IT organizationscan “rightsize” their IT security for the cloud. 3
  4. 4. Not all cloud-computing environments, however, are created The Dell IT Management Advantageequal. Considerations that influence the level of security Dell continues to expand itsnecessary for a cloud computing environment include portfolio of next-generationregulatory requirements, the sensitivity of the data and the systems management productsamount of risk associated with the IT assets that need to be. and technologies, which now feature tight integration with aFinding the appropriate balance on a case-by-case basis is variety of security products fromeasier to achieve when the IT organization has granular control Trend Micro.over how much security to apply at any given time or place. By Key elements of the Dell systemsapplying security at the virtual machine level, IT organizations and security managementgain that level of granular control in a way that doesn’t wind portfolio include:up adversely affecting the performance of cloud computing Dell KACE Appliances provide aapplications. lower-cost alternative to IT management by using anThe Need for More Automation appliance-based architecture.The rising complexity associated with managing virtualization is Simply plug the appliance intoforcing many IT organizations to reconsider their management your network and give it an IPoptions. Instead of relying on manual processes or custom address, and you are ready toscripts that don’t scale, IT systems and security management begin managing all yourmust rely more on IT automation technologies. These next- desktops, laptops and servers. KACE Appliances typically deploygeneration management platforms not only automate routine in one day, and because themanagement tasks, they also reduce so many of the common appliances are fully integratedhuman configuration errors that hackers like to exploit. The and pre-configured, there are noend result is not just a more cost-effective approach to systems hardware or software pre-management but also a more secure IT environment. IT requisites, no professionalenvironments consisting of hundreds of virtual servers and service fees and no hidden costs.perhaps thousands of virtual clients are beyond the capabilitiesof the average IT organization to manage without some The Dell KACE K Seriesinvestment in automation. In fact, it’s pretty apparent at this Appliances address thestage that cloud computing in all its forms is dependent on the management of the complete PCautomation of virtualization management, which in no small lifecycle, from deployment to retirement, including PCmeasure also includes IT security management. inventory and software license compliance.The rise of virtualization allows IT organization to addresslongstanding IT security management issues. Instead of treating Dell SecureWorks is a managedsecurity as an afterthought, through virtualization IT service that provides a wideorganizations can unify systems and security management in a range of security services toway that reduces costs while actually improving the quality of organizations of all sizes. Itsthe IT security being delivered. security services provide protection across the network toConclusion safeguard the perimeter, critical internal assets, data, remoteThe advent of virtualization enables IT organizations to move users, customers and partners.beyond just bolting on security. IT systems and securitymanagement now can be more closely aligned than ever. But to By shifting responsibility formake that happen, IT organizations need to look to new security management to Dellapproaches for automating the delivery of layers of security SecureWorks, IT organizationsthat work in concert. free up valuable time and resources that can be applied toThe end result should be not only a more dynamic, in-depth getting more value out of theirsecurity strategy that automatically responds to changing strategic IT investments.conditions, but also an IT environment that is easier to manageat a level of scale that winds up actually paying for itself byreducing the cost of IT. 4
  5. 5. ABOUT TECH SECURITY TODAYTech Security Today is committed to providing insights and actionable recommendationsto help small-to-medium businesses cost-effectively maintain security. To achieve thatgoal we have invited a number of notable bloggers and industry experts steeped insecurity knowledge to share their thoughts on best practices for setting security policies toprevent issues from occurring in the first place and then how best to remediate breachesonce they occur. www.techsecuritytoday.comABOUT THE AUTHORMike Vizard has more than 25 years of experience covering IT issues in a career thatincludes serving as Director of Strategic Content and Editorial Director for Ziff-DavisEnterprise, which publishes eWeek, Baseline and CIO Insight. Vizard has also served as theEditor-in-Chief of CRN and InfoWorld. In addition, he served as a senior editor with PCWeek, ComputerWorld and Digital Review.