Andrew Brink brings more than 15 years of information security, networking and application development experience to his current role. As a solutions director, Brink provides leadership for a team of solutions architects across multiple sales regions. His team works closely with the sales team for those regions and provides vision, leadership and expertise in security solutions and services for clients.
Virtualized Security Works Best When it’s Built on the Basics
Industry analyst firm Gartner says that virtualization projects are currently the number one priority for CIOs. Yet Gartner also reports that, “Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace.” Why is there such a significant disconnect between virtualization and security?
One reason is that it’s relatively easy to deploy virtual servers in an environment. So easy, in fact, that the information security department is often removed from the process. As a result, companies fail to follow pre-defined security measures.
Secondly, many companies locate virtual servers on the same physical host instead of segmenting them, introducing a lack of visibility and control between virtual systems. The visibility of guest-to-guest communication, on the same host, has become more difficult. A lot of security measures have been put on the physical network and hence cannot see this communication. Regardless of whether a company is using physical servers or a virtualized environment, it is essential that they keep security domains and risk zones separate. A host that houses DMZ guest servers should not also house an internal accounting server.
The final area of concern, one that is too often overlooked, is the security of the host system itself. While the guest systems usually have known controls, patch cycles, etc., the host is left in default configurations and remains open to modification, thus allowing copies or re-routing of traffic without the knowledge of the guest systems.
One solution to these problems is to enforce security controls within the virtual environments in a similar manner that physical environments are enforced. Virtualized environments can be segmented using existing IPS and firewall appliances; however, in-house security or server teams may not have experience integrating these technologies with their virtual environments. This integration is becoming easier because virtualization vendors have released programming interfaces that allow new products to be introduced into the marketplace that provide additional security and features. Firewall and IPS vendors are releasing “VM Aware” products that can inspect the VM-to-VM communications. Vendors are offering products that can help secure virtual environments by allowing antivirus and other protections to reside at the hypervisor level. This provides the additional benefit of conserving processing cycles for each virtual machine.
Additionally, security vendors are releasing virtual platforms of their hardware appliances, which allow increased flexibility, visibility and control of virtual environments. In the past, these virtual appliances were primarily used for non-production environments. With the increased speed in host servers, virtualized appliances are becoming viable for use in full production environments. Not all virtualized appliances work well in production environments, so to ensure success, appropriate sizing and planning needs to be done.
While increased functionality, visibility, and control have become possible with products geared towards virtual environments, the best practice in promoting “virtualized security” is to go back to the basics. The use of these products needs to be in conjunction with a strong security framework in order to provide a secure virtualized environment.