Sergey Nivens - Fotolia

How should you manage virtualization and security risks?

Once thought to be a security risk, virtualization is now a trusted technology. However, poor security practices can still leave you vulnerable.

Virtualization has proven to be an effective and reliable software platform capable of enhancing hardware utilization and adding enormous flexibility to the data center environment. Lingering concerns about hacking and malware infection have tempered hypervisor adoption among some organizations -- especially where many VMs can share the same hypervisor and hardware -- and those fears have been largely misplaced. Hypervisors are indeed resilient and secure, but poor security practices and common oversights can still expose VMs to attack. In order to manage virtualization and security risks, organizations must set and enforce a comprehensive policy.

Poor policies, controls and user education can be more detrimental to security in a virtual environment than any software vulnerability. However, the solutions to such vulnerabilities are usually similar to those used in physical environments.

Always employ least-privilege tactics when authorizing administrators and users. The goal is to give administrators and users the absolute minimum access to features and data necessary to perform their specific functions -- and nothing more. This can be challenging when virtualization tends to combine administrative functions and erase traditional silos of responsibility, but security posture can be improved by assigning granular privileges and conducting periodic reviews of privilege and authority. Remember that some compliance regulations such as the Payment Card Industry Data Security Standard and the Federal Information Security Management Act require least-privilege authorizations. In addition, when it comes to virtualization and security risks, a policy that incorporates least-privilege access to corporate data -- even among administrators -- will reduce the likelihood of data leakage (theft) by employees or other insiders with unnecessary authority.

Educate administrators and users in the acceptable use policies of company data and warn them against security risks such as social engineering. For example, reporting logon credentials that may have been compromised on a lost sticky-note or suspicious email request can allow administrators to take proactive action to protect systems and data.

A policy for managing virtualization and security risks should specify that administrators always use secure shell connections for administrative console access -- unsecure web connections are easily compromised, possibly revealing logon credentials. In addition, limit administrative access to a limited number of internal network addresses. This prevents outside attackers from accessing systems even if credentials are compromised. Some organizations may employ multifactor authentication for critical administrative consoles or functions.

Ensure that all administrative and user activity in the physical and virtual environment is logged and available for review or audit, and go through the process of conducting periodic audits. Log file analytical tools, change management platforms and other tools should warn of suspicious or malicious activity such as attempting to access drives or files that are not part of normal responsibilities, creating or deleting VMs, altering VM configurations and so on. This is often paired with a formalized administrative process for approving and creating VMs -- often encapsulated in VM lifecycle management tools or workflow automation systems.

Addressing virtualizion and security risks with a clearly defined policy, will greatly reduce your organization's exposure and help prevent many security breaches.

Next Steps

Policy alone can't prevent security breaches

Improve security with smart VM configuration

Virtualization raised new data security challenges

Dig Deeper on Server virtualization compliance and governance