Security and virtualization: The opening of Pandora’s Box

There's no doubt that virtualization, with its ability to deliver more computing power for less money, has gained a firm foothold in many IT organizations. The cost and technical benefits of virtualization have created an internal frenzy to move more systems to a virtual environment. But as businesses rush to virtualize their data centers, many have neglected to clearly understand the compliance and security risks that a virtualized environment presents. Proactive risk management helps companies realize the true return on investment for their virtualization projects.

One of the clear benefits of virtual machines (VMs)is their ease of deployment and the ability to quickly add and remove them from the IT infrastructure. However, without the proper infrastructure to manage what machines are coming and going, if they've been configured properly and what changes have been made, companies are introducing new security risks and compliance challenges into their businesses. And while there are many tools available for assessing server configurations in the physical world, the truth is, those tools aren't suited for virtual environments. So how can companies detect unauthorized, non-compliant changes to VMs?
There are several best practices that can be employed to mitigate the compliance and security risks associated with virtualized environments.

You can't control what you can't see. Determining what machines are live, which are in-production or pre-production, which are dormant and what services they are running is the first step in mitigating compliance risks in virtual environments. Take stock of what technologies are being used and the relevant regulatory compliance issues related to the business processes enabled by virtualization. By having a more detailed picture of the entire virtual landscape, companies put themselves in a much better position to take control.

As with any IT infrastructure, physical or virtual, the more people have access, the more potential there is for uncontrolled changes to critical systems. By reducing the number of people who are able to access and make changes to a machine, to only those that require access, is another step in the right direction. By monitoring Virtual Machine Manager (VMM) user account adds, removes and changes and reconciling those accounts with an authorized change order form from the virtualization manager, IT will gain a new level of visibility and control.

A large portion of today's security and compliance issues in IT can be addressed by creating and enforcing preventive controls. Specifically, this requires that all VMM configuration settings are properly defined, implemented and verified. To help make this truly operational, it is important to work with IT on defining which virtualization security standards should be used and then mandate that all systems use the same secure configuration settings. IT and virtual managers should insist that all non-compliant configurations are remediated within a certain amount of time. From there, detective controls must be put in place to assess and continuously monitor VMM configuration settings to ensure all VMs are in a “trusted state.”

So once the policies are set, how can an IT department enforce the policies set forth for configuration and security changes? The answer is simple: certainly not without support from upper management. It is imperative to obtain upper management buy-in and to then communicate the consequences from the top down.

Finally, when looking at today's stringent compliance regulations, it is important to prepare for the worst – an audit. A best practice to ensuring full preparation for an audit entails keeping all evidence, including change requests, approvals, detected changes, reconciliations of detected changes and approved change requests.

Gene Kim is chief technology officer at Tripwire.
Gene Kim

Gene Kim is a multiple award-winning CTO, researcher and author, and has been studying high-performing technology organizations since 1999. He was founder and CTO of Tripwire for 13 years. He has written six books, including The Unicorn Project (2019), The Phoenix Project (2013), The DevOps Handbook (2016), the Shingo Publication Award-winning Accelerate (2018), and The Visible Ops Handbook (2004-2006) series. Since 2014, he has been the founder and organizer of DevOps Enterprise Summit, studying the technology transformations of large, complex organizations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.