Virtual security is no less real
Virtualisation may not be an entirely new technology, but the current financial meltdown has re-emphasised
its ability to reduce IT costs and maximise existing investments. Organisations are tightening their belts, but
this doesn't mean that business demands on technology come to a standstill. In fact, the pressure for
technology to do less with more only increases during difficult times.
Virtual environments can lower the total cost of IT with the use of smaller data centres that result in less energy
consumption and hardware waste. As such, analysts predict virtualisation to increase significantly in 2009. Yet many
organisations fail to realise that without proper management and monitoring, they can easily find themselves in a
position where critical applications perform poorly and affect business productivity. Cost efficiency shouldn't come at
the expense of IT services' availability and performance.
In 2008, NetIQ surveyed 1000 enterprises worldwide on the topic of virtualisation, and was shocked to find that while
three quarters of respondents were deploying virtual infrastructures, almost 80 per cent of these organisations had
not considered any formal means of management. In the excitement of deploying a new technology, you'd be
amazed how many IT professionals forget the importance of trivial matters like security management.
Besides the tangible discrepancies, there are few differences between virtual and physical servers, meaning that
virtual environments still have an abundance of security and compliance requirements. There's no doubt that
virtualisation is a cost-efficient technology, but it does entail a renewed approach to security. Here are four factors to
consider for your virtual environment:
1. What's good for the goose....
It might sound obvious, but treat your virtual environments as you would physical infrastructures. Configuration and
patch management are crucial, but remember virtual machines are often hidden from security architects, which
leaves systems more vulnerable than physical servers.
While planning your migration, conduct a security audit on the servers to be virtualised. Server configuration is often
modified during migration, so it's vitally important that you have a pre-migration baseline to compare with after
virtualisation. Also, don't neglect to perform regular audits after migration.
All the policies and procedures that keep your physical environment secure still apply to virtual servers. Once
migrated, start by implementing existing policies and then call on your security and audit teams to develop those
specific to the virtual environment.
2. Don't mix network traffic
Hypervisors can host up to 30+ virtual servers. Traffic can easily flow between servers without leaving the host,
through firewalls from one subnet or VLAN to another, completely unseen by analysis or monitoring tools. It's critical
to isolate network traffic in a virtual world. Don't mix varying traffic types such as application and virtual management
traffic that increase the risk of 'man-in-the-middle' attacks. It's best to physically isolate traffic types on separate
network interface cards (NICs), switches and VLANS, or by using a hybrid of VLANS and NICs.
3. Stay in control
Naturally, you don't give all of your IT staff access to Active Directory objects in your physical server infrastructure, so
don't lose control of access to your virtual servers either. Use Access Control Lists (ACLs) and be meticulous about
assigning roles and permissions among staff so that no one can accidentally - or intentionally - compromise security
and performance. Likewise, if something does go wrong, ACLs will make it easier to identify those responsible. Work
closely with security teams, and systems and data owners to define access to resources.
4. Don't skimp on the training!
Education and awareness relates to every element of managing virtual environments. Send your staff to certification
classes, research the technology via webinars, and take advantage of vendor training. Don't rely on 'on-the-job'
training when it comes to the security of your infrastructure and assets. Investing a little time to understand the
technology will make it infinitely easier to manage and keep secure.
There are dramatic cost benefits to virtualisation, but they're easily negated by poor security practices that result in
breaches and downtime. The only way for IT departments to meet critical SLAs is to arm themselves with the
procedures they need to proactively manage the security of hybrid data centres. Virtualisation is still a relatively new
concept, and the safest way to adopt new technologies is to start with a solid security foundation. Planning ahead is
always better than learning from costly mistakes.
Rick Logan is the Senior Technical Specialist, Security & Compliance - Asia Pacific, for NetIQ.