While virtualized environments can be cheaper, have a lower carbon footprint and quick to set up "virtual" doesn’t have hard edges and that makes it tough to secure.
“From our many conversations with CISOs from Fortune 50 organizations in the past few months, we have noticed the increased need for tools to secure virtualized environments,” said Leo Navarro, practice manager and business leader for Softtek, one of Latin America's leading IT service providers and the founder of the global near-shore industry. “There are many organizations that have deployed solutions to virtualize servers and desktops. However, upon doing so they've had to re-think their overall security strategy for virtualized environments.”
Navarro predicts that 2012 will see many companies investing in enterprise antivirus suites that ease the updating process, data loss prevention (DLP) tools to monitor data flowing, two-factor authentication mechanisms to protect the access to virtual servers and desktops, and speed up the account's provisioning processes and data encryption tools.
“Many analysts say that security is the number one barrier to cloud adoption, which undermines the benefits of the cloud,” said Rod Sapp, vice president, TCIS Products and Technology at global IT firm Unisys. “In a shared infrastructure, multi-tier environment, companies create a private cloud in the corner so that they don’t face the risk. The problem with backing cloud computing projects into a corner of the data center is that you compromise the value proposition of the cloud: improved infrastructure utilization and cost efficiencies.”
Assessing what needs to be done
“Security in virtualized environments can be split into two categories: security of the guest OS, which requires the same approach as that for a non-virtual environment, and security of the virtual environment infrastructure,” said Emmanuel Carabott, security research manager at GFI Software. “Virtualization solutions include several management tools to manage hosts and guests, and for each of these management tools there are specific security considerations.”
Companies must first establish what level of risk they are facing.
“The major security concerns from a virtualization perspective are individuals gaining unauthorized access to the virtual environment management tools, hijacking of virtual machines and/or routing to and from the virtual machine and breakdown of the change management system in use in the organization,” added Carabott. “Each of these security issues requires a specialized solution ranging from firewalls to security scanners.”
The introduction of cost-cutting measures and the aim of introducing more flexible working policies have added to the need to secure virtualized environments. “More companies will probably consider ‘bring your own device’ initiatives, so their employees can select the device they want to work on,” Navarro said. “These initiatives require companies to support operations by securing their own virtual environments and then by extending their core applications to mobile devices.”
The virtual challenge
Whether or not your company allows employees to connect their own devices to the network, network professionals need to be alert to the challenges of securing a virtual environment. “Conceptually, security is no more challenging on virtualized environments than it is on physical environments,” said Carabott. “In practice, however, this is not always the case because virtualized environments are easy to set up and it is not unheard of that an employee sets up a virtualized environment on their own machine instead of asking for additional physical machines or going through the proper channels.”
This gives network administrators a headache. If the virtual environments are not controlled centrally then there is no guarantee that even the most basic security measures are in place.
“The problem gets worse if that employee is not security-conscious and believes that even if the virtual machine is compromised or breaks down, it's simply a case of restoring a clean copy,” adds Carabott. “Unfortunately, this line of reasoning is flawed because the employee does not realize that if the VM is compromised it can act as a beachhead for a deeper attack on the organization's infrastructure.”
Security in practice
Securing virtualized environments is possible, despite the challenges.
“At Unisys, we’re using the Unisys Stealth Solution for encrypting and bit-splitting messages from the endpoint to the data centre instead in a secure multi-tenant environment,” said Sapp. “This removes the prospect of others gaining access to your infrastructure and data.”
The company is just starting to work with the commercial sector after proving the technology in the federal space and Sapp feels there is even more companies can do to make virtualization secure and user-friendly. “We’re integrating a high level of security with the provisioning and automization tools we have for virtual environments and the cloud."
However difficult it might seem to secure a virtual environment, the very worst thing to do is nothing at all. Every environment needs security, whether it’s virtualized or not. It’s just a case of finding the right level of security for your network risk, and the right tools.
Elizabeth Harrin is Computer Weekly's IT Professional Blogger of the Year 2011. She is also director of The Otobos Group, a business writing consultancy specializing in IT and project management. She's the author of "Social Media for Project Managers" and "Project Management in the Real World." She has a decade of experience in IT and business change functions in healthcare and financial services, and is ITIL v3 Foundation certified.