As virtualization began to gain traction among enterprise IT, many security experts raised alarm at what they considered to be new potential risks. Virtualization broke many traditional security and compliance rules, but all but the most stringent critics agreed its benefits outweighed the potential risks. Today, hypervisor updates and virtualization-focused security products have improved virtual machine security, but many security challenges remain. Let's take a look at five common virtual server security oversights you should keep your eye on.
1. Valuing ease of use over security
One of the prime advantages to virtualization is the flexibility and management benefits it offers. But, easier management can sometimes mean a less secure virtual infrastructure. For example, VMware offers many configuration options that may make administration easier, but could hurt security. It's also important not to blindly trust default settings and to consider performing a security hardening review. Some VMware vSwitch settings, for example, default to options that may make management features easier to use, but could open the door to potential attackers.
2. Failing to manage roles and permissions
Choosing to relax some settings to improve management is one thing, but failing to restrict access and permissions to users who don't need it can raise unnecessary security risks. It's all too easy to give low-level staff or junior administrators full administrative rights rather than spend the time to define more specific privileges. In most cases, it's best to start by giving a user no permissions and work to identify what to add rather than work backward.
3. Overlooking resource controls
One of the chief risks to any virtual infrastructure is that workloads are not physically separated. When VMs rely on the same host, a problem with one can extend to the others. Putting limits on VM resources is a simple task that will prevent one VM from starving other -- possibly more important -- VMs or critical resources. But, don't just focus on limiting CPU and memory access. Storage and network I/O controls can prevent internal problems that could mimic a distributed-denial-of-service attack.
4. Delaying patches or not keeping a maintenance schedule
Maintenance and security patching aren't exciting and can require momentary service disruptions that make end-users unhappy, but they're critical to keeping your infrastructure up-to-date with the latest known security fixes. Just one VM missing a patch can put an entire virtual infrastructure at risk. Nearly everyone has heard about Microsoft's Patch Tuesday, but many VMware administrators don't keep regular maintenance schedules or delay important security patches.
5. Losing sight of drift and configuration changes
Like physical environments, security in a virtual infrastructure is often a matter of defining and adhering to company policies. But over time, small configuration changes can cause you to slowly drift out of compliance. The trick is creating a system -- or turning to a configuration tool -- that checks to make sure a virtual machine's configuration is maintained through its lifecycle.