A virtual administrator may pose the greatest risk to your company, and we have to look to the IT managers and...
executives to find out why they allowed and enabled this potential security risk to develop.
As companies continue to virtualize, the traditional data center roles are merging. Over the years, organizations have hired specialized staff and segmented operations into silos, forming separate teams for data center hardware, networking, storage, Windows and telecom. While these teams interacted with each other, the staff did not typically cross roles because technology silos created a separation of duties. As virtualization entered the data center, a new role grew out of necessity. This new role – that of virtual administrator -- replaced traditional rack-and-stack data center personnel, and allowed companies to consolidate large collections of hardware into a much smaller footprint. The dedicated hardware role in the data center has simply faded away from the modern data center.
In many companies, the networking and storage teams continued to exist, operating outside of the virtual environment. Today, that is changing. A few years ago VMware announced the software-defined data center (SDDC), but many were unsure what the term meant. When VMware announced the first virtual storage area network, which turned storage into a commodity, similar to what ESX did to server hardware, VMware's vision started to clear up. In 2013, VMware announced its network virtualization product, or NSX, which aims to abstract the network layer from networking hardware. This is bringing two more teams into the virtual world and under the virtual administrator. While it is possible for companies to resist integration and keep traditional silos separate, the potential cost and management savings are impossible to ignore. That is why the virtual administrator has become the focal point of your data center and may be the greatest risk to your company.
Security experts point out that some of the largest security breaches are not from armies of hackers but from internal employees. This is why a division of duties and access can be so important to an organization. However, with an SDDC we are putting all of our eggs into a single virtual basket. This is not a call to start monitoring your virtual administrator with hidden cameras. After all, it's not his fault we are in this situation. But let's consider a few strategies to help address some of these security concerns.
Open the virtual world to other teams
Team lines can be very black and white, but in today's flexible and fast-paced software-defined environments, we need shades of gray more than ever. The networking team should not simply stop at the traditional OSI layers, but extend into managing virtual switches. They need to have not only visibility into virtual switches but the responsibility for them as well. While this may seem like a radical thought to a virtual administrator, it is important to leverage the skills of network engineers in a virtual environment. If network administrators have ownership of virtual networking, it will no longer be perceived as a threat to them and may even spur smoother teamwork in expansions and upgrades because everyone has a vested interest. The virtual environment has always been the domain of virtual administrators, but that does not mean they are experts in everything the virtual environment now covers, including networking and storage.
Consider compliance software
Vendors such as Hytrust, VMware and BeyondTrust have products that offer extensive auditing, privilege management and compliance features. These software packages are designed to audit everyone, including the virtual administrator, against misuse of the environment. Companies can define misuse with customizable policies that shouldn't limit the virtual administrator's job but help protect it. None of these products will be able to securely lock out a virtual administrator bent on causing outages or data loss. Instead, they are designed to prevent honest mistakes by limiting global access and to provide auditing capabilities if an issue occurs that cannot be easily explained.
Set and enforce documentation policies
Most people assume malicious action is the greatest threat they face and often overlook a bigger risk: a loyal virtual administrator leaving for another opportunity. An employee leaving the company can have a critical and often misunderstood consequence. IT folks aren't always diligent about documentation, often preferring to act first and document when they have spare time. Too often, when an experienced administrator leaves, he takes that information with him, leaving behind a complex environment and junior administrators struggling to learn how it works while trying to support it. There isn't enough time for proper documentation and drawings, knowledge transfers and cross-team training when an administrator gives two weeks' notice. This process has to start early, have management support, and make use of products designed to help with mapping and documenting your environment. NeverFail IT Continuity Architect is one product that can map out your virtual environment so that if key personal leave, the replacement staff is not starting from scratch.
Silos were once a viable structure because different skill sets were needed to manage dissimilar types of hardware. With servers, networking and storage all becoming commodity hardware and software truly driving the data center, traditional silos have faded, giving rise to a single silo that encompasses a lot more than many are comfortable with. Cross-training, function ownership, auditing software, documentation and a greater understanding of the roles in a virtual world are all ways to help prevent your virtual administrator from becoming the greatest risk to your company.