twobee - Fotolia


Strict policy alone can't prevent virtual server security breaches

Strict virtual server security policies are worthless if IT can't follow them. Protect your environment by setting realistic expectations and staying flexible.

True virtual server security is not something you can regulate solely with software or policy and procedures. Many organizations have tried and failed to keep their environments safe with firm rules and security software. And, while some security breaches can blamed on carelessness or malicious behavior, often times these breaches are the result of cutting corners. However, not all of these failures can be pinned on IT personnel. In many cases, management is to blame.

Impossible deadlines are the norm in IT today. Administrators are often called on to deploy systems and infrastructure with no prior notice and tight deadlines. The problem comes when tight deadlines run headlong into security restrictions and policy. Administrators and IT personnel do not want to break the rules (for the most part), but they are often put between a rock and a hard place. Management wants agility and adaptability while also ensuring everything is run through the proper policy and procedures. Most would argue that the way to do this is by coupling reasonable policies and procedures with reasonable expectations.

Unfortunately, the words "reasonable" and "management" don't always go together very well. For an organization to move at the speed of business and still preserve virtual server security, management and IT employees will need to walk hand in hand. Management having a clear understanding of how long something takes is no longer enough. Proper virtual server security policies and processes come with time and resources that need to be accounted for. While some managers may not like adding time to a project for these additional steps and procedures, it is a necessary adjustment if IT workers are to be held accountable to reasonable time frames. Unreasonable expectations will force employees into situations where they have to cut corners to meet goals or timetables.

Consolidation through virtualization creates other security challenges. While your physical attack surface may be smaller, any breach at the physical level can be much more devastating. This means having insight over your infrastructure is more important. Having total control simply doesn't work in today's speed of business. Rules can be put in place to prevent the introduction of unauthorized VMs, but rules can be broken internally and externally.

Having a deep insight and understanding with log monitoring, administrative audits and other monitoring software or policies gives you the line of internal defense that goes beyond perimeter defense. Rules will be broken; that is part of life and something we try to mitigate. Insight will give you the knowledge to recognize risks and quickly resolve problems when they occur.

No matter what technology you use, in the end it's all about your data. Data is the life of your company and must be protected from corruption, loss or theft. Many focus on the technical aspects, such as backups and recovery objectives, but that can lead you to overlook an important threat. Data theft and intentional destruction are real issues that can occur. However, this concern does not warrant an open license to spy on your administrators.

Monitoring and checks for anyone that has administrative level access is not out of the scope of reasonable precautions. Listening to those professionals can also make you aware of frustrations and possible concerns.

Along with monitoring, it is important to ensure that no single person holds all of the keys to your infrastructure. IT still suffers from the perception that a lack of information sharing can ensure job security, but this doesn't work. This line of thinking is faulty at best, and dangerous at worst. Administrators need qualified and knowledgeable backups to prevent a single failure point with staff. IT administrators are the people we trust with our company's most valuable assets, and we need to give them respect, understanding and safety checks to ensure their professional success along with the company's.

Next Steps

Virtualization security concerns we all forget

Data theft and destruction top virtualization security concerns

Five virtual server security oversights that could devastate the data center

Dig Deeper on Server virtualization risks and monitoring