Virtualization Technology News and Information
Virtualization Security on the Front Lines

Welcome to Virtualization and Beyond

Virtualization Security on the Front Lines

By Michael Thompson, Director, Systems Management Product Marketing, SolarWinds

There has always been a lot of talk about virtualization's value proposition for increasing server hardware utilization, but that is largely a story the IT team tells the CFO to get the purchase approved.

Really, it's the flexibility that virtualization provides that has driven mass adoption by IT admins. The ability to create, delete, move or reconfigure a server in minutes or even seconds instead of hours or days has changed the way IT works.

But just as it is much harder to protect the president when he is traveling than when he is in the White House-or so I've heard-it is much harder to secure a highly dynamic virtual environment against a cyberattack than it is a static IT environment.

Sources of Virtualization Security Risks

There are a number of reasons why a typical virtual environment poses a greater risk than a non-virtualized environment. By thinking through these risk factors in the specific context of security, you will be better able to minimize the threat.

  • Shared Ownership: Quite often, many different people will own the various parts of a virtual environment. For example, multiple virtualization admins might manage hosts and datastores/cluster share volumes, and multiple departments might own and manage individual VMs tied to those shared resources. What's the old adage-"when everyone is responsible, no one is responsible"?
  • Constant Change: The ability to almost instantly create a VM makes it extremely challenging to ensure that security standards are followed and maintained 100 percent of the time. Patching old VMs, guaranteeing new VMs meet all security requirements, ensuring access control credentials current. The list could go on. It takes a lot of work to stay on top of everything and the simplicity of creating a VM that, "I'll only use for a couple of days," can cause people to take shortcuts with security.
  • Limited Visibility: With the shared ownership and constant change of virtual environments, the fact of the matter is that it can be very challenging to get a complete end-to-end view of all of the components of a virtual infrastructure from applications through the virtual layers to storage. This results in difficulty identifying and troubleshooting potential problems, such as a malicious change made as part of a cyberattack.

Minimizing the Risks

So, what's next? Here are a handful of things to consider that you can do to minimize these risks.

  • Build Security In: The harder things are, the less likely people are to do them. So, make it easier to create VMs that comply with security policies than ones that don't. Golden images and user-friendly self-service portals will be your best friends here. By putting more procedures and obstacles in front of people who are creating their own VMs-or outright banning it if possible-they will naturally follow the path of least resistance, the one you lay out for them. In so doing, you can ensure that new VMs meet standards by baking them in yourself. A careful versioning system can also make it easier to identify older versions that need updates.
  • Separate: Different groups will have different requirements. You would expect that a team doing development and/or testing, where there is a lot of change but lower impact from problems, would have orders of magnitude more change than you would have in your production environment, where while there is less change, potential problems will have higher impact. So, make sure you have carefully designed separation between different parts of your environment. This can be one of your best insurance policies. But be careful, because while and area might be lower risk, that doesn't mean it is no risk. Make all environments as secure as possible and make separation part of your back up mitigation plans.
  • Get Procedures Up Front: Clearly defining procedures that will be used to enforce security programs up front makes it possible to actually enforce those procedures later. For example, a hard policy that any VM that hasn't been logged onto for 90 days will be quarantined for two weeks then deleted. Another example-any VM running an old or unpatched OS will get the same treatment. This might be painful at first. It's a lot like being a parent to a teenager, you can tell them what to do a thousand times, but that typically doesn't have the impact of them experiencing the consequences of not following the rules. So, follow a stated procedure and delete a VM someone cared about, but didn't take the time to manage. While tough love is, well, tough, it's much more likely they will properly manage their VMs going forward. To help with all this, try leveraging automated virtualization management tools to identify VM sprawl and take remedial actions.
  • Achieve End-to-End Visibility: Lastly, make it easy to connect all the pieces so you can quickly troubleshoot the entire technology stack from end-to-end, applications to storage. Using a tool or strategy that makes it easy to troubleshoot and correct symptoms of problems as well as to find and correct the root causes, and then map the connected application and infrastructure components will make it much easier to isolate security risks.
You may not think of yourself as owning security, and there may even be someone else at the desk just down from yours with a bonafide security title, but as a virtualization admin you are on the security front lines whether you like it or not. Planning upfront for better security in your virtual environment is vastly easier than trying to implement it after everyone has fallen into bad habits, but either way, following the tactics above can go a long way towards making sure virtualization is not the weak link in your organization's armor.


About the Author

Michael Thompson, Director, Systems Management Product Marketing, SolarWinds. 

Michael has worked in the IT management industry for more than 14 years, including leading product management teams and portfolios in the storage and virtualization/cloud spaces for IBM. He holds a master of business administration and a bachelor's degree in chemical engineering. 

Make sure to also read, "Is Your Application Sick? The Application Performance Management (APM) Doctors Are In" and "In the New Wild West of Storage, the Virt Admin is Sheriff"

Published Tuesday, June 30, 2015 9:59 AM by David Marshall
On-Premises versus Cloud-Based Storage : @VMblog - (Author's Link) - August 3, 2015 6:31 AM
The Virtualization Automation Journey : @VMblog - (Author's Link) - August 24, 2015 7:00 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2015>