Sergey Nivens - Fotolia
Virtualization has proven to be an effective and reliable software platform capable of enhancing hardware utilization and adding enormous flexibility to the data center environment. Lingering concerns about hacking and malware infection have tempered hypervisor adoption among some organizations -- especially where many VMs can share the same hypervisor and hardware -- and those fears have been largely misplaced. Hypervisors are indeed resilient and secure, but poor security practices and common oversights can still expose VMs to attack. In order to manage virtualization and security risks, organizations must set and enforce a comprehensive policy.
Poor policies, controls and user education can be more detrimental to security in a virtual environment than any software vulnerability. However, the solutions to such vulnerabilities are usually similar to those used in physical environments.
Always employ least-privilege tactics when authorizing administrators and users. The goal is to give administrators and users the absolute minimum access to features and data necessary to perform their specific functions -- and nothing more. This can be challenging when virtualization tends to combine administrative functions and erase traditional silos of responsibility, but security posture can be improved by assigning granular privileges and conducting periodic reviews of privilege and authority. Remember that some compliance regulations such as the Payment Card Industry Data Security Standard and the Federal Information Security Management Act require least-privilege authorizations. In addition, when it comes to virtualization and security risks, a policy that incorporates least-privilege access to corporate data -- even among administrators -- will reduce the likelihood of data leakage (theft) by employees or other insiders with unnecessary authority.
Educate administrators and users in the acceptable use policies of company data and warn them against security risks such as social engineering. For example, reporting logon credentials that may have been compromised on a lost sticky-note or suspicious email request can allow administrators to take proactive action to protect systems and data.
A policy for managing virtualization and security risks should specify that administrators always use secure shell connections for administrative console access -- unsecure web connections are easily compromised, possibly revealing logon credentials. In addition, limit administrative access to a limited number of internal network addresses. This prevents outside attackers from accessing systems even if credentials are compromised. Some organizations may employ multifactor authentication for critical administrative consoles or functions.
Ensure that all administrative and user activity in the physical and virtual environment is logged and available for review or audit, and go through the process of conducting periodic audits. Log file analytical tools, change management platforms and other tools should warn of suspicious or malicious activity such as attempting to access drives or files that are not part of normal responsibilities, creating or deleting VMs, altering VM configurations and so on. This is often paired with a formalized administrative process for approving and creating VMs -- often encapsulated in VM lifecycle management tools or workflow automation systems.
Addressing virtualizion and security risks with a clearly defined policy, will greatly reduce your organization's exposure and help prevent many security breaches.
Policy alone can't prevent security breaches
Improve security with smart VM configuration
Virtualization raised new data security challenges
Dig Deeper on Server virtualization compliance and governance
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
ALM and SDLC both cover much of the same ground, such as development, testing and deployment. Where these lifecycle concepts differ is the scope of ... Continue Reading
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading