Commentary--The emerging IT adoption of virtualization technology holds the promise of reduced power consumption, reduced management complexity, better asset utilization and a more agile IT infrastructure. However, the introduction of virtualization brings additional complexity into compliance and security efforts.
The understanding and effective management of this complexity is a key capability in achieving successful security while fully realizing the benefits of virtualization. Here are some of the most common issues posed by adopting virtualization that every organization must consider.
You can't manage what you can't see! IT departments are often unprepared for the complexity associated with understanding what VMs (virtual machines) exist and which are active or inactive. To overcome these challenges, discovery tools need to extend to the virtual world by identifying Virtual Machine Disk Format (.vmdk) files and how many exist within the environment. This will identify both active and inactive VM’s.
Difficulty in understanding which VMs are on which hosts and identifying which business critical functions are supported by each VM is a common and largely unforeseen problem encountered by IT departments employing virtualization. Mapping guest to host relationships and grouping the VM’s by criticality & application is a best practice when implementing virtualization.
3. Configuration management
Ensuring VMs are configured properly is crucial in preventing performance bottlenecks and security vulnerabilities. Complexities in VM provisioning and offline VM patching is a frequent issue for IT departments. A Technical Controls configuration management database (CMDB) is critical to understanding the configurations of VM’s especially dormant ones. The CMDB will provide the current state of a VM even if it is dormant, allowing a technician to update the configuration by auditing and making changes to the template.
4. Additional security considerations
If a host is vulnerable, all associated guest VMs and the business applications on those VMs are also at risk. This could lead to far more reaching impact than the same exploit on a single physical server. Treat a Virtual Machine just like any other system and enforce security policies and compliance. Also, use an application that dynamically maps guest-to-host relationships and tracks guest VM’s as they move from host to host.
5. VM identity management issues
Virtualization introduces complexities that often lead to issues surrounding separation of duties. Who manages these machines? Do application owners have visibility into changes being made? Identify roles and criticality and put them through the same processes you leverage for physical devices including change management, release management and hardening guidelines.
6. VM network configuration control
With multiple operating systems sharing a single IP address behind a NAT, network access control becomes much more complex in a virtual network. To address this use AD, DNS and NetBIOS to identify bridged VM’s. IP sweeps in most cases will not pick these up.
7. Identifying and controlling VM proliferation
VM’s can pop up and move to any location in an instant. To manage this potential issue, you must establish and enforce a process for Virtual Machine deployment.
8. VM host capacity planning
Virtualization can make understanding what applications are running and how many resources are being leveraged much more difficult. To better deal with this issue, organizations must track how many guest to host relationships exist and the configuration of the VM’s.
9. ESX host driver and ACL information
How is the ESX System itself configured? Does it meet your PCI requirements? Who has permissions to the system? Does it meet your regulatory compliance needs? Organizations must proactively manage ESX machines by tracking and trending their security configurations over time to make sure they don’t "drift" from corporate standards.
10. ESX host configuration management
If a guest is infected with a worm or virus it will attack the other local VMs. If that image is moved to another host, it will continue to do damage across the organization. Do you have visibility into guest to host relationships and their configurations? Guest to host mapping and their configuration history is critical to the success of managing virtual machines.
11. Intellectual property
Virtualization makes it more difficult to know who has what information. How do you know your VMs are not walking out the door with critical information and data? Verifying encrypted data and historical information on your guest VMs can help manage and secure intellectual property.
George Gerchow is a technology strategist for Configuresoft's Center for Policy and Compliance.