Sure, server virtualization has been around for a while and is very popular in IT. But you know a technology has really hit the big time when it gets its own national standards.
The National Institute of Standards and Technology (NIST) this week released its virtualization security guidelines. The document emphasizes that virtualization involves many moving parts, from the host down to the VM, applications and associated technologies such as storage.
“The security of a full virtualization solution is heavily dependent on the individual security of each of its
components,” the report says.
The NIST virtualization security guidelines focus on these four main areas:
- Hypervisor security: Keep all hypervisors updated and patched per vendors’ recommendations, and restrict access to its management interface. It’s also important to disconnect or disable all unused hardware and services, which can serve as attack vectors.
- Guest OS security: Prompt updates are recommended here as well, as is disconnecting unused virtual hardware. You should also back up virtual drives, following the same policies for physical backups. The guidelines warn, “If a guest OS on a hosted virtualization system is compromised, that guest OS can potentially infect other systems on the same hypervisor.”
- Infrastructure security: Only the guests that use certain storage or networking should have access to that specific hardware.
- Desktop virtualization security: No two desktop virtualization deployments are the same, and determining how to protect virtual desktops depends on their use cases and sensitivity of their workloads.
The NIST virtualization security guidelines go into much more detail in the full report, “Guide to Security for Full Virtualization Technologies” (PDF). For additional resources, check our our server virtualization security best practices guide.