The ease and speed of deploying a virtualized environment has allowed some IT professionals
to overlook security concerns that may be brewing up in the cloud.
More on CIO.com
Today’s Virtualization Security Tools: One Hidden Risk
Virtualization Security Assessment Guides Inadequate, Tools Lacking
At WorkflowOne, a provider of marketing services, the IT department realized it had to play
catch-up to address new security risks. The potential for a sudden appearance of several
virtual servers caused confusion and alarm among the security team, says John Dattalo, an
information security analyst with the company. One feared scenario: That the team would come
back from lunch to 10 new servers and not know where they came from or what they were for.
So, where should you start? The answer is more simple than you might think: exactly where
you would in a conventional environment. “Having a strong [security] policy and adhering to
and enforcing that policy are the first steps,” Dattalo says. Making sure your processes are
up to date is also important, says Natalie Lambert, an analyst with Forrester Research. When
virtualization first became popular, few companies included security in their assessments of
whether to deploy the technology. But now IT managers are seeing the risks and taking the
steps to correct the oversight, Dattalo adds.
Remember the Basics
Access control stands as one of virtualization’s greatest risks, says Dattalo, because
someone with access to a physical server running many virtual machines “could potentially
take down the entire set.” Forrester’s Lambert agrees: “Virtual machines have all the
attributes of an entire file, and the physical server would not,” she says, so employees
would have access to more data than the company might want them to. In order to resolve this
issue, Dattalo suggests putting a senior manager in charge of determining an access list,
clearly spelling out which physical servers each employee needs to work with and which they
Tracking and maintaining the virtual servers—and what’s on them—is also key,
says Dave Templeton, CIO with Kelley Blue Book, which provides car sales information.
Templeton has added 225 virtual servers in the past 18 months. “There are the same security
concerns” as with dedicated servers, he says, “but the provisioning is so much faster that
you need to be more on top of things.”
Currently, Templeton and his director of IT, Grant Leathers, are looking at a tool that maps
every virtual machine and physical server in their data centers. With the speed
virtualization offers, the need for this visibility is more important than ever. It’s much
harder to map what’s on your virtual systems after you deploy them when you have hundreds of
machines to look after, he says. Templeton suggests having an infrastructure team tightly
managing the installation and support of the devices both on the rack and in the cloud,
instead of trying to figure out the mapping later.
As of now, the tools available to manage access controls and keep visibility in a virtual
environment are not mature enough, says Dattalo. He would like to have a tool that could be
more granular in its separation of control, so that he and his staff could define
specifically which virtual machines or applications each individual can access. Forrester’s
Lambert says it will be some time before more precise tools are available, but they won’t
come soon enough for Dattalo.
“I want to see and control every aspect of security in the virtual environment, just as if
it were in the physical world,” he says.