Server virtualization and cloud services offer compelling benefits, including hardware consolidation, rapid provisioning and reduced infrastructure complexity. But virtualization and cloud technologies also introduce security and compliance challenges that are not easily addressed with traditional vulnerability management tools and techniques. These challenges include:
Because it’s so easy and fast to spin up new servers or clone existing ones, organizations often create a large number of virtual machines or cloud instances, increasing the number of servers to monitor and manage. Any problems that you have in the physical environment will be magnified in virtual and cloud environments. Without tight controls, it’s difficult to ensure that infrastructure in these new IT environments adheres to appropriate security and configuration controls.
Tracking and updating what you have can be a challenge as people create, suspend and move virtual machines and cloud instances. Identifying where virtual machines and cloud instances exist, then including them in your assessment and patch processes can quickly become a time consuming challenge.
Many layers, many players
Virtualization and the cloud add other teams and skill sets to the overall complex security environment with physical and network layers. Individuals may lack insight into areas beyond their own expertise, yet understanding context is critical for assessing risk. With ‘silos’ of expertise, it can be difficult to get an accurate understanding of the actual risk profile of a virtualized system.
Securing Virtual and Cloud Environments is a Process
Tools alone cannot resolve these challenges. VMware tools, for example, address only VMware issues,
While Windows patch management tools focus on their discrete problems. Understanding and addressing the reality of threats in context requires an ongoing, multi-step process to:
1. Define policies and procedures
2. Develop a plan to stay compliant with change control
3. Implement a plan to harden and control systems
4. Scan your environment
5. Distribute the right data to the right people
6. Fix the problems
7. Repeat on a regular basis
The team managing and executing the process will come from security, IT, cloud and virtual teams. By understanding new challenges and working together, teams can manage security in new virtual and cloud environments as they have been in physical environments in the past.
For more ideas on how to run a successful vulnerability management program, watch the Tenable on-demand webcast, Why are Some Vulnerability Management Programs More Successful than Others?