Virtual security is no less real

Virtualisation may not be an entirely new technology, but the current financial meltdow...
2. Don't mix network traffic

Hypervisors can host up to 30+ virtual servers. Traffic can easily flow between servers wit...
Upcoming SlideShare
Loading in …5

Virtual security is no less real


Published on

Virtual security is no less real

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Virtual security is no less real

  1. 1. Virtual security is no less real Virtualisation may not be an entirely new technology, but the current financial meltdown has re-emphasised its ability to reduce IT costs and maximise existing investments. Organisations are tightening their belts, but this doesn't mean that business demands on technology come to a standstill. In fact, the pressure for technology to do less with more only increases during difficult times. Virtual environments can lower the total cost of IT with the use of smaller data centres that result in less energy consumption and hardware waste. As such, analysts predict virtualisation to increase significantly in 2009. Yet many organisations fail to realise that without proper management and monitoring, they can easily find themselves in a position where critical applications perform poorly and affect business productivity. Cost efficiency shouldn't come at the expense of IT services' availability and performance. In 2008, NetIQ surveyed 1000 enterprises worldwide on the topic of virtualisation, and was shocked to find that while three quarters of respondents were deploying virtual infrastructures, almost 80 per cent of these organisations had not considered any formal means of management. In the excitement of deploying a new technology, you'd be amazed how many IT professionals forget the importance of trivial matters like security management. Besides the tangible discrepancies, there are few differences between virtual and physical servers, meaning that virtual environments still have an abundance of security and compliance requirements. There's no doubt that virtualisation is a cost-efficient technology, but it does entail a renewed approach to security. Here are four factors to consider for your virtual environment: 1. What's good for the goose.... It might sound obvious, but treat your virtual environments as you would physical infrastructures. Configuration and patch management are crucial, but remember virtual machines are often hidden from security architects, which leaves systems more vulnerable than physical servers. While planning your migration, conduct a security audit on the servers to be virtualised. Server configuration is often modified during migration, so it's vitally important that you have a pre-migration baseline to compare with after virtualisation. Also, don't neglect to perform regular audits after migration. All the policies and procedures that keep your physical environment secure still apply to virtual servers. Once migrated, start by implementing existing policies and then call on your security and audit teams to develop those specific to the virtual environment.
  2. 2. 2. Don't mix network traffic Hypervisors can host up to 30+ virtual servers. Traffic can easily flow between servers without leaving the host, through firewalls from one subnet or VLAN to another, completely unseen by analysis or monitoring tools. It's critical to isolate network traffic in a virtual world. Don't mix varying traffic types such as application and virtual management traffic that increase the risk of 'man-in-the-middle' attacks. It's best to physically isolate traffic types on separate network interface cards (NICs), switches and VLANS, or by using a hybrid of VLANS and NICs. 3. Stay in control Naturally, you don't give all of your IT staff access to Active Directory objects in your physical server infrastructure, so don't lose control of access to your virtual servers either. Use Access Control Lists (ACLs) and be meticulous about assigning roles and permissions among staff so that no one can accidentally - or intentionally - compromise security and performance. Likewise, if something does go wrong, ACLs will make it easier to identify those responsible. Work closely with security teams, and systems and data owners to define access to resources. 4. Don't skimp on the training! Education and awareness relates to every element of managing virtual environments. Send your staff to certification classes, research the technology via webinars, and take advantage of vendor training. Don't rely on 'on-the-job' training when it comes to the security of your infrastructure and assets. Investing a little time to understand the technology will make it infinitely easier to manage and keep secure. There are dramatic cost benefits to virtualisation, but they're easily negated by poor security practices that result in breaches and downtime. The only way for IT departments to meet critical SLAs is to arm themselves with the procedures they need to proactively manage the security of hybrid data centres. Virtualisation is still a relatively new concept, and the safest way to adopt new technologies is to start with a solid security foundation. Planning ahead is always better than learning from costly mistakes. Rick Logan is the Senior Technical Specialist, Security & Compliance - Asia Pacific, for NetIQ.