While virtualization makes it easy to provision new workloads, it creates unique problems for virtual server security and compliance. In fact, many of the same features that make virtualization valuable to some organizations cause problems for other organizations. This month we ask our Advisory Board members what their biggest challenges are with security and compliance in today's virtual data centers and how they address these challenges.
Maish Saidel-Keesing, Cisco Video Technologies Israel (formerly NDS Group Ltd.)
Once upon a time, if you wanted to create a new workload you needed to put in a purchase request, spec out your server, then wait until it was procured, racked and installed. Today self-service is the name of the game, and all that happens with the push of a button.
With this ease come virtual server security concerns. In the past, IT had more control over where the workload was placed and how it was protected. Today, it is a question of providing the security that protects the company, but still allowing the end users the freedom and agility to do their work.
The biggest concern today with protecting data is that ease of use.
How does one address this potential security issue? Well, to completely block and hinder the end users is not a solution. If IT takes that approach, end users will circumvent IT altogether, turn to an external provider, and then IT will lose all control.
I think the solution is to find a mixture of education and collaboration between IT and the users. Making sure that the end user is accountable for the company's information, and responsible for keeping it secure are key aspects to protecting your company's data.
Jack Kaiser, Focus Technology Solutions
This month I turned to our chief technology officer, Bill Smeltzer, for his opinion.
"Segmentation of workloads is a big challenge in today's virtualized data center. As we continue to collapse workloads onto common infrastructure we start to mix different workloads that were once isolated in the physical data center. In the past, we took a set of public-facing servers and put them on a separate isolated network from other servers typically separated by a firewall. This was easy to accomplish because in the traditional data center each physical server would be connected to the proper network.
"In the virtual data center, physical servers run multiple workloads and share common networking interfaces. Keeping track of network rules and settings becomes difficult as workloads move around the data center to different physical machines. In environments that have strict security concerns, like PCI and HIPAA, auditing and ensuring compliance becomes increasingly difficult. Software-defined networks promise to help ease virtual server security concerns by applying network security directly to workloads or virtual machines rather than networking devices. With software-defined networks, we have the ability to assure proper security regardless of where the workload moves, helping to achieve compliance."
Jason Helmick, Concentrated Technology LLC
Every IT pro can build and deploy a secured server that meets their company's compliance requirements; that's not the problem. You already have the tools that will assist in delivering updates for both security and compliance; that's not the problem either. Keeping your servers (and clients) from drifting out of your specifications, the desired state of configuration, is the real problem.
With so many other sysadmins touching and modifying the servers, drift (loss of your desired software configuration, security settings, etc.) will occur. Once the cats are free on the ranch, herding them back to their cages seems impossible.
You can avoid this problem if you start the planning process up front. Without recommending a particular tool, consider the concept that the Unix/Linux folks have been using tools, like Puppet and Chef, to create a system that will check to make sure the desired configuration is maintained and will continue to meet a set of standards and guidelines. You're probably already using one of these tools if you have Unix/Linux servers.
While products like Microsoft's Windows Intune can be helpful, Windows has been lagging in this capability. A new technology introduced to the Windows Operating System through PowerShell V4 is the start to the solution you need. Desired State Configuration (DSC) is the new kid on the block, but can provide the automated and effortless control you have been looking for.
Keeping all those cats in their cages, lined up in a row exactly as you want them without degradation and drift over years of management, is one of the keys to consistent security and compliance. If you are working with Windows, take a look at DSC. It's a new technology and may not serve every need yet, but the community is pushing DSC to the limits, so that automating and maintaining the desired state of your servers becomes a reality. Your virtual server security and compliance will improve just by removing drift and human error.