- Kevin Beaver, Principle Logic, LLC
Virtualization can help take the pain out of the patch-management process, but you can’t afford to overlook certain patching principles. Regardless of the platform you’re using, here are some tips for ensuring your virtual environment is properly patched and protected.
1. Know what you’ve got. One of the greatest challenges facing network administrators today is the growing complexity of their environments. With virtualized systems being created and disabled on a daily basis, virtualization is a top contributor to this complexity. Here’s a fact: You cannot secure what you don’t acknowledge. Take an inventory and document your systems to ensure that you know which virtual systems are where. If you don’t, you’ll continually struggle with patching, which, in turn, will create unnecessary business risks.
2. Ensure proper scope for your patching policy and security standards. Another common challenge is systems that don’t fall under the umbrella of the company’s overall security policies and standards. Virtual systems are part of production, too. If you’re going to ensure that patches are properly applied according to internal policy or external regulations, your virtual systems must be treated as part of the production environment. Even where virtual systems are used for development or staging, you need to consider the ramifications of not patching, especially where production data is being used (and it almost always is somehow, somewhere). The malware and exploit threat is just as great on these nonproduction systems. Given the risks brought about by missing patches and the risks associated with the patching process itself, virtual systems should also be included in the scope of your incident-response and business continuity plans.
3. Keep your cloud providers and other vendors honest. Talk is cheap. While a contract might declare that patching of hosted virtual systems shall take place, people and business process complexities can create oversights and errors. Ask for reports, perform your own tests or do whatever else it takes to ensure that any virtualized environments out of your direct control are indeed being patched and properly maintained.
4. It’s all about the business. As techies, it’s easy for us to get caught up in the bits, bytes and inner workings of hypervisors, VDI stacks and the like. But we can’t live and breathe at that level all the time. We must see the bigger picture. Virtualization patching is a set of technologies and processes in support of minimizing business risks. We can’t forget this and let security get in the way of doing business. Everything in IT is a balancing act, and virtualization is no different. Get on board with what the business is trying to accomplish, and ensure you’re continually steering in the right direction.
About the Author
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Principle Logic LLC. He has authored/co-authored 10 books on information security, including the best-selling Hacking for Dummies. In addition, he’s the creator of the Security on Wheels information security audio books and blog. Follow him on Twitter at @kevinbeaver.
Dig Deeper on Virtualization security and patch management
Preserve Hyper-V security from Meltdown and Spectre vulnerabilities
Managing vulnerable software: Using data to mitigate the biggest risks
What kind of VM management software can improve security?
How to overcome unique cloud-based patch management challenges