To protect a virtualized environment, admins must establish and follow a strict protocol of best practices. Security...
in virtualization needs to be a constant concern, and admins must always be on the watch for ways to secure their environments, whether that involves applying old lessons to new technologies, resolving organizational security tensions or establishing policies that prioritize security. Read up on these policies and strategies to help you establish or reinforce important security practices in your department and throughout your company.
Prioritize security from the start
Application security has long been in conflict with performance and ease of use. To solve this, companies must abandon the traditional layering approach, wherein security is added after the build is complete. As security controversies rage in the media and within companies, the need for a better approach only becomes more important. Security in virtualization needs to be a prime concern from the beginning of the development process.
Companies can prioritize security by making sure the system admin and security personnel are on the same page. Both of these parties should share documentation, such that the system admin knows the security requirements and security personnel have seen the build document. From there, the system admin can work closely with the security team. The system admin can even complete some security steps in the initial build, which allows for faster deployment and leads to better balance between performance and security.
Security policies must be comprehensive
Virtualization has proven to be effective and reliable, but for many organizations, security remains a concern. While these fears are valid, they are often misplaced because the problem actually resides in poor security practices. To combat this, organizations must establish comprehensive security policies and strictly enforce them. Contrary to some assumptions, vulnerabilities at policy, control and user levels can be just as dangerous as software vulnerabilities.
Though virtualization blurs the boundaries between traditionally separated responsibilities, many traditional tactics used in physical environments can form the basis of security in virtualization policies. It's still important to use least-privilege tactics to ensure that users and administrators only have the minimum access necessary to perform their particular tasks. In a virtualized environment, this might require additional layers of granularity, but the principle holds true.
Companies must also continue to take pains to educate administrators and users alike about the right way to use company data and how to avoid dangers like social engineering. Admins in particular must always use Secure Shell (SSH) for administrative console access and restrict their access to a limited set of internal network addresses. On top of these practices, companies must make it a policy to log all activity and regularly audit these records.
Match security features with best practices
Platforms like vSphere 6.5 include a number of security features, but you can garner the best results if you incorporate other practices and policies. For hypervisor security, make sure to limit each user's access to only the features he or she needs. Apply timeouts to ESXi or SSH access so physical access isn't available when administrators leave their computers. Protect ESXi hosts from intrusion by minimizing the number of open ports.
If you need tighter security, vSphere supports smart cards for multifactor authentication, and you can also lock out accounts that try to log in after 10 failed attempts. You can even standardize your environment and use scripts or templates to automate regular host management tasks. The fewer avenues you leave open for human error, from users to configuration, the fewer vulnerabilities your system will have.
Configure your VMs with security in mind
Keeping the hypervisor, as well as the host and guest VM OSes, patched with every version and update is an essential part of maintaining security in virtualization. If your organization evaluates and tests patches before applying them, make it a policy to expedite security patch testing to reduce the risk of zero-day attacks. Similarly, it's critical to update antimalware tools, which automatic updates can help ensure.
Beyond updates and patches, careful VM configuration can also improve security. VMs are often spun up through golden images, which include a number of configuration specifications, but an image might be unsecure if it has unnecessary open ports. These can increase the attack surface of every VM generated from the image. Make it a habit to examine the golden image and review configuration attributes. Throughout the entire VM lifecycle, each configuration should be monitored and managed so you can compile logs and be warned if changes are made.
Protect containers with past security lessons
Containers offer the ability to reduce the memory footprint of images by sharing the common parts of a VM -- all while saving bandwidth. The combination of these savings and the ability to create and deploy containers faster than VMs makes them a compelling tool. In the rush to try new technology, however, admins must make sure to incorporate the security experiences they had with hypervisor virtualization.
Vendor safeguards have long protected hypervisors from data vulnerabilities caused by multi-tenancy, but containers are at risk because of their relative immaturity. Running containers inside VMs can mitigate this problem because this protects the container in one VM from an exploit in another. Privilege escalation and denial-of-service attacks pose other risks, both of which are easier to create in container environments, but can be protected against by running containers as ordinary rather than root users. Other virtualization security best practices that can be applied to containers include using trusted sources for images that support image signatures and encrypting files to protect against malware attacks.
Improve vSphere security with enhanced logging
Use ESXi secure boot to boost vSphere security
Open source vulnerabilities strike VMware