Securing Virtual Machines Starts With Sound Policies

The ease and speed of deploying a virtualized environment has allowed some IT professionals to overlook security concerns that may be brewing up in the cloud.

More on CIO.com

Today’s Virtualization Security Tools: One Hidden Risk

Virtualization Security Assessment Guides Inadequate, Tools Lacking

At WorkflowOne, a provider of marketing services, the IT department realized it had to play catch-up to address new security risks. The potential for a sudden appearance of several virtual servers caused confusion and alarm among the security team, says John Dattalo, an information security analyst with the company. One feared scenario: That the team would come back from lunch to 10 new servers and not know where they came from or what they were for.

So, where should you start? The answer is more simple than you might think: exactly where you would in a conventional environment. “Having a strong [security] policy and adhering to and enforcing that policy are the first steps,” Dattalo says. Making sure your processes are up to date is also important, says Natalie Lambert, an analyst with Forrester Research. When virtualization first became popular, few companies included security in their assessments of whether to deploy the technology. But now IT managers are seeing the risks and taking the steps to correct the oversight, Dattalo adds.

Remember the Basics

Access control stands as one of virtualization’s greatest risks, says Dattalo, because someone with access to a physical server running many virtual machines “could potentially take down the entire set.” Forrester’s Lambert agrees: “Virtual machines have all the attributes of an entire file, and the physical server would not,” she says, so employees would have access to more data than the company might want them to. In order to resolve this issue, Dattalo suggests putting a senior manager in charge of determining an access list, clearly spelling out which physical servers each employee needs to work with and which they don’t.

Tracking and maintaining the virtual servers—and what’s on them—is also key, says Dave Templeton, CIO with Kelley Blue Book, which provides car sales information. Templeton has added 225 virtual servers in the past 18 months. “There are the same security concerns” as with dedicated servers, he says, “but the provisioning is so much faster that you need to be more on top of things.”

Currently, Templeton and his director of IT, Grant Leathers, are looking at a tool that maps every virtual machine and physical server in their data centers. With the speed virtualization offers, the need for this visibility is more important than ever. It’s much harder to map what’s on your virtual systems after you deploy them when you have hundreds of machines to look after, he says. Templeton suggests having an infrastructure team tightly managing the installation and support of the devices both on the rack and in the cloud, instead of trying to figure out the mapping later.

The Wait for New Tools

As of now, the tools available to manage access controls and keep visibility in a virtual environment are not mature enough, says Dattalo. He would like to have a tool that could be more granular in its separation of control, so that he and his staff could define specifically which virtual machines or applications each individual can access. Forrester’s Lambert says it will be some time before more precise tools are available, but they won’t come soon enough for Dattalo.

“I want to see and control every aspect of security in the virtual environment, just as if it were in the physical world,” he says.