Security and virtualization: The opening of Pandora's Box
One of the clear benefits of virtual machines (VMs)is their ease of deployment and the ability to quickly add and remove them from the IT infrastructure. However, without the proper infrastructure to manage what machines are coming and going, if they've been configured properly and what changes have been made, companies are introducing new security risks and compliance challenges into their businesses. And while there are many tools available for assessing server configurations in the physical world, the truth is, those tools aren't suited for virtual environments. So how can companies detect unauthorized, non-compliant changes to VMs?
There are several best practices that can be employed to mitigate the compliance and security risks associated with virtualized environments.
You can't control what you can't see. Determining what machines are live, which are in-production or pre-production, which are dormant and what services they are running is the first step in mitigating compliance risks in virtual environments. Take stock of what technologies are being used and the relevant regulatory compliance issues related to the business processes enabled by virtualization. By having a more detailed picture of the entire virtual landscape, companies put themselves in a much better position to take control.
As with any IT infrastructure, physical or virtual, the more people have access, the more potential there is for uncontrolled changes to critical systems. By reducing the number of people who are able to access and make changes to a machine, to only those that require access, is another step in the right direction. By monitoring Virtual Machine Manager (VMM) user account adds, removes and changes and reconciling those accounts with an authorized change order form from the virtualization manager, IT will gain a new level of visibility and control.
A large portion of today's security and compliance issues in IT can be addressed by creating and enforcing preventive controls. Specifically, this requires that all VMM configuration settings are properly defined, implemented and verified. To help make this truly operational, it is important to work with IT on defining which virtualization security standards should be used and then mandate that all systems use the same secure configuration settings. IT and virtual managers should insist that all non-compliant configurations are remediated within a certain amount of time. From there, detective controls must be put in place to assess and continuously monitor VMM configuration settings to ensure all VMs are in a “trusted state.”
So once the policies are set, how can an IT department enforce the policies set forth for configuration and security changes? The answer is simple: certainly not without support from upper management. It is imperative to obtain upper management buy-in and to then communicate the consequences from the top down.
Finally, when looking at today's stringent compliance regulations, it is important to prepare for the worst – an audit. A best practice to ensuring full preparation for an audit entails keeping all evidence, including change requests, approvals, detected changes, reconciliations of detected changes and approved change requests.
Gene Kim is chief technology officer at Tripwire.
From the - January 2009 Issue of SCMagazine »