Admins should build a thorough endpoint security policy based on guest hardening to ensure a strict security mindset...
informs the foundation and reach of a virtualized system.
The role of the virtualization administrator has grown parallel to virtualization's dominance of the data center. The virtualization admin is also taking on new duties as previous disciplines roll into the virtual realm. A critical but often overlooked duty is guest security.
Security is a mindset that everyone must have. Even small security mistakes can cause massive breaches that cost companies millions due to lost data, lawsuits and customer flight. Host security and virtual infrastructure are often primary security concerns, but endpoints shouldn't be neglected.
VMware vShield and a host of similar products can help support security at the hypervisor layer, but virtual guest hardening should come first in any endpoint security policy. If additional layers of security are necessary, it's best to start with a solid base and build from there.
The first step in building this foundation is to eliminate unnecessary endpoints. Additional services in the base OS or virtualized hardware in the guest configuration should also be examined. The number of endpoints in a virtualized environment can substantially increase the workload.
Shortcuts can damage an endpoint security policy
VM sprawl is a self-inflicted problem. VM templates are the primary cause because some level of automation, using preconfigured VM templates as a base, creates almost all the VMs.
Every deployed VM is a clone, which is good for consistency, but can create VM sprawl. The template might start out as an ideal tool, but, over time, after the addition of more and more software or virtualized hardware, time-saving shortcuts can damage the template and infect everything created with it.
The presence of too many templates for every single configuration can make management strenuous. Look for a balance between having a solid starting point and having the ability to add additional services on top of deployed VMs.
Never approach it as though only a service or two require removal. Instead, start at the lowest point and add to it. This makes it harder to forget to remove something before putting it into production. Create these starting points for deployments to ensure there's a balance between time-saving templates and custom configurations.
In virtual environments, shortcuts and time-saving techniques can benefit overworked admins, but they can also create risks that an endpoint security policy needs to address. Copying and pasting from a remote desktop to a virtual desktop is a primary example.
Installed guest tools in a VM often enable or disable copying and pasting and, though it saves time, it's not the best setting for security hardening. Shortcuts need to be disabled in the VM settings to prevent software from being copied from outside the virtual environment to a guest with minimal protection.
This forms part of a larger problem when navigating the tension between VM accessibility and security when designing an endpoint security policy. The demand for VMs that admins and application owners can all access can quickly strain security measures, but the virtual admin can't afford to lose sight of how users access these machines. Part of the process involves copy and paste, but the other part is sticking to remote management services over traditional console access.
It's critical to stick with locked down management services rather than using management shortcuts. Even in short windows that require tight turnarounds, this must remain standard.
Guest hardening isn't only about running security analysis tools or ensuring patches are up to date. It's first about establishing a solid base and then building to a thorough endpoint security policy with further layers of security products, such as VMware vShield or NSX. Security has to be second nature when deploying workloads across an environment.
Automation has taken over deployment and it tends to focus on speed and ease. It's now so fast that admins often struggle to avoid deploying soft targets that present vulnerabilities for east-west attacks.
The challenge is that the pace of automation must remain fast for the business to stay competitive. A few additional efforts behind the scenes with guest hardening, however, can create a solid base for additional layers of security that together form a thorough endpoint security policy.