As the healthcare industry software vendor Quantros Inc. dove deeper into virtualization, its IT team had to find new ways to utilize a secure virtualization platform. With a range of hosted Software-as-a-Service applications for hospitals and medical offices, as well as internal applications, the company worried about security holes.
"One challenge was trying to segregate each application," said Bryan Rood, IT and data center manager for the company. With about 80 internal users, Quantros serves nearly three million users throughout approximately 2,500 hospitals. Its applications and virtual hosts communicate when servers send data traffic between one another over the network, Rood said. That data must be allowed in while the system blocks potential intruders.
"There is this paradigm that you can secure everything or get your work done," Rood said. Too much virtual security that's too tightly configured can make it difficult to get things done, he said. The key is finding a compromise. Secure virtualization is a must in order to protect against unauthorized users.
When VMware Inc. showed Rood how much communication occurred between the two environments, he wondered about how vulnerable traffic was. An attack could occur if an intruder accessed network traffic outside Quantros' firewalls and sent acceptable commands to the hypervisor. Other applications also share data outside the network for replication and other tasks - adding to vulnerability worries.
Rood and his team tested VMware's vShield Zones on two virtual machines. The application works as a deep-packet inspection firewall that also allows the creation of zone-based controls for multiple applications. Rood looked at competing products, too, from Symantec, Altor Networks and others vendors, but chose vShield Zones since it was included under an ongoing VMware vSphere 4 support contract.
The testing, which was run on two VMs to start, finished up in the summer of 2009. "We've overcome a lot of hurdles in getting things to talk to each other and work together," he said. "You have to make sure that the way you've set up virtualization is completely compatible from piece to piece when you turn on the firewall."
Rood said that he turned on the lowest level of security first and then increased it to be sure everything was working.
Getting the network to recognize and accept desired changes has been the biggest problem, Rood said. "The [virtualization] security software needs to be able to follow changes so it doesn't think [they] are security problems," he said. "We have tried to implement the same security or better for our virtual environment as we did for our physical environment."