Tom Ashoff, vice president of engineering, Sourcefire
2007 was a breakout year for virtualization, when companies discovered the economic and organizational benefits in building out a virtual infrastructure. According to a survey conducted by Symantec in late 2007, 90 percent of the survey respondents were at least considering virtualization for their data centers, and 50 percent were actually implementing it.
2008 was a year where organizations were digesting their purchases of virtualization products and starting to realize the management challenges associated with virtualization. Everything from performance and capacity management to troubleshooting and security administration becomes more difficult in a volatile, multilayered and often heterogeneous virtualized environment.
In the midst of dealing with the complexity of managing virtual networks, organizations have not paid sufficient attention to security. According to Stephen Elliott, IDC’s research director for enterprise systems management software, “We’re finding security is the forgotten stepchild in the virtualization build-out. That’s scary when you think about the number of production-level VMs (virtual machines).” IDC research indicates that 75 percent of companies with 1,000 or more employees are employing virtualization today.
Because of the lack of attention paid to securing virtual networks, there is a distinct possibility that 2009 will bring the first public security breach related to virtualization policies or technologies. As a result, in 2009 security will take center stage in virtual environments.
Compliance will also play a much larger role for virtualization this year. Until now, auditors have not focused on inspecting virtual networks to ensure they meet regulatory requirements. At some point we can expect that virtualization will explicitly be mentioned in standards such as the Payment Card Industry’s Data Security Standard (PCI-DSS) and organizations will have to determine how they can meet these compliance requirements.
As virtualization begins to reach maturity within the enterprise, a number of best practices can help mitigate the security risks that may be created:
1. Apply standard security practices to VMs as if they were physical. These include anti-virus and anti-spyware agents, configuration control, and vulnerability scanning.
2. Segment VMs by the data they contain. Do not combine VMs containing sensitive data with VMs designated for QA or testing, for example.
3. Enforce isolation between network segments. Do not combine VMs in the same host if they are connected to network segments at different trust levels.
4. Guard against VM sprawl by maintaining an inventory of VMs and the physical host they reside on. All migrations should be documented and subject to a configuration control approval process.
As regulatory pressure begins to emerge, IT security professionals must support best practices with tools that can help them do their jobs effectively—offering visibility into their virtual infrastructure; tracking where VMs reside, where they move to, and what other hosts they are communicating with; and providing the same level of security to their virtual infrastructure that they do to their physical infrastructure.
If we are to truly benefit from the promises of virtualization, security must come to the forefront in 2009. Best practices and tools that offer a holistic approach for managing both physical and virtual network security are the answer, and can help the industry avoid a public and damaging wake-up call.