Chris Preimesberger | Eweek
More and more enterprises are moving to server and desktop virtualization to conserve power, cooling, rack space, computing power, storage, and networking—all the things eWEEK has been writing about for years. The broadest trend in all of IT during the last decade is about “smaller but more powerful, more efficient, and easier to use.” As one might imagine, security becomes even more strategic as enterprises move from physical to virtual spaces and more business is done in the cloud. But, as with most disruptive IT, there are strings attached. While virtual machines and cloud services are so easy to create and deploy, they also come with a high number of additional security headaches. It’s one thing to have a physical box in a room to secure, but it’s quite another to try to effectively secure a multitude of VMs running randomly in the cloud. The same goes for accessing public cloud services; security problems come intertwined and data center managers and C-level executives need to be aware of all the risks. In this slideshow, produced by eWEEK with information from Stonesoft network security, we offer 10 ways to fortify the security of data assets in virtual and cloud-based computing environments.
Traditional Security Controls Still Apply
It may seem obvious, but many administrators forget to enforce basic security procedures and processes as they transition to a virtual setting. Antivirus, antispyware, firewall and intrusion prevention must be available on the server and host virtual platforms. Be careful, however, as these important security updates may create a storm-like environment that causes an unintentional denial of service.
Protect Your Hypervisor(s)
At the top layer of your virtual environment is the greatest opportunity for access. Virtual security controls can help prevent unauthorized changes and tampering to hypervisors.
Create a Virtual Security Policy
You should have a security policy for your physical environments, but make sure that you create policies, standards, guidelines and procedures for your virtual environments as well. They are many parallels, but some are widely different due to the physical limitations of the virtual world.
Build Collaboration Between Departments, Engineering Teams
Virtualization may span the entire enterprise and so can an incident resulting in a breach. Make sure the lines of communication are open and free of conflict so you can build virtually, and respond to virtual threats so that they do not become exploits.
Create Virtual End-Point Security
The need for traditional firewalls and intrusion prevention and detection systems doesn’t go away as you virtualize and move to cloud architectures. Deploy proven virtual firewalls and IPS’s at critical architectural points. Also, don’t forget to monitor and log with an enterprise integrated security information and event management system.
Insist Upon Patch Management
Many of the same issues exist in the cloud. Make sure your virtual environment is patched according to the criticality of the systems and data. Test patches in a sandbox, not in production. Stage and phase as required based on change control/management processes.
Understand Administrative Privilege
Role based access controls still apply in the virtual world so continue to use the principal of least privilege and audit administrative access and escalation of privilege regularly.
Deploy Virtual Forensics for In-Depth Defense
Problems can arise in every system, virtual or not. Remember to build in forensic logging and analysis into your virtual world. Add virtual device telemetry for even greater visibility. Be sure to maintain flow based telemetry for additional virtual visibility.
Invest in More Training
Training for virtual security is not always the same as for the physical world. Almost all of the traditional tools for deployment, management and forensics are different for the virtual world. Budget and plan for ongoing training for your team.
Guess what? Regulatory, Compliance Issues Are Still Here
Virtual environments are viewed with even greater skepticism than physical environments. Expect more in-depth examination of your adherence to rules and regulations. Maintaining strong access controls, zoning and configuration management is essential, especially in industries or localities that require high levels of regulatory compliance.