Virtualization is the new business reality. Forrester Research recently issued a report stating that 51 percent of North American companies have deployed or are testing virtualization technology.
The virtual wave is cresting and is ready to wash over the enterprise – but at what cost to security and compliance? What are the challenges presented by virtualization in terms of identity and access management?
First, what makes virtualization so popular? Virtualization is about delivering any application or data to anybody at anytime – making it especially relevant to organizations with a large mobile or geographically disparate workforce. As an organization's workforce becomes increasingly distributed, access to critical applications and data is required from a variety of locations. Virtualization affords today's workforce access to the enterprise anytime and anywhere – without costly client software installs, and without bogging down network performance.
Virtualization's strengths in providing "anytime anywhere" access also represent the greatest threats to enterprise security and compliance. While identity management and access compliance remains a top IT priority for organizations, the potential impact of virtualization has been relatively ignored. Virtualization technology excels at providing user access to applications and data – but what it's not designed to do is determine whether that user should have access to those applications at all. Virtualization creates a new level of exposure in adhering to compliance and security policies, adding layers of complexity to the issue of clearly knowing and enforcing policy around the level of access granted to a user and why.
Identity management and access compliance software has traditionally focused on in-house enterprise access – the act of putting the policies and procedures in place to ensure that users only have access to the applications and data that they're credentialed to have based upon their job or role within the organization. This task is complicated when introducing virtualization.
Virtualized access is usually provided through third-party applications, such as Citrix Presentation Server, VMWare and others. Access is traditionally linked to another platform such as an Active Directory group. Virtualization provides limited visibility into how a user achieved access to an application or data, muddying the compliance waters.
Consider the following scenario: While it may be easy to see that a user is part of Active Directory "Group X," what access clearance does that group actually provide? What policies are in place to ensure that the user should get access to specific applications via the virtual product? If the IT team adds a user to Group X in order to give them access via a virtualization application, what other access do they get by being associated with this group? If these questions haven't been asked yet, you can be sure this is the next question your auditor will ask – "How did this user get access and why?"
These are fundamental questions that all organizations should ask themselves when moving to a virtualized environment – but are not concerns that should inhibit organizations from taking advantage of the business advantages that virtualization provides. The key to effectively and securely deploying virtualization technology is to ensure that policies are in place to control access and that they are being enforced - every time.
Reviewing and provisioning access manually can be a tremendous burden to an organization's IT staff. Manually reviewing a group's access rights and how an individual user's access rights match up is a labor-intensive process that can bog down your IT staff. To ensure policy is being enforced correctly every time virtualized access is established, organizations need to automate the enforcement of security and regulatory policies for remote and virtualized application access.
By automating remote and virtualized access, organizations are able to quickly map Active Directory Group management to virtualization access policies – providing quick verification of a user's access rights, and alleviating a heavy burden carried by the IT staff. This puts control into the hands of line of business managers – giving them the ability to create access only where it's appropriate, and only for the properly credentialed. Automation also provides an auditing mechanism to provide periodic checks of users' access to ensure that it's in line with corporate policy.
While virtualization will no doubt revolutionize the way an organization views its IT infrastructure, addressing the security and compliance issues raised by virtualization are top priorities. The key to achieving the benefits of virtualization while maintaining access compliance lies in the automated creation, enforcement and validation of corporate policy, with quick remediation of any policy exceptions.
- Kurt Johnson is vice president for corporate development at Courion Corp.
