Many of the tools and best practices you might use to protect your physical environment are almost useless in a virtual world. Traditional perimeter protection is not enough. The threats are different at the virtual level, so businesses must counter with security options designed with virtualization in mind. Keep these four considerations in mind as you develop your virtualization security strategy.
One of the perks of a virtual environment is also one of the biggest security drawbacks. A virtual infrastructure is flexible and dynamic. New machines are available within minutes and with very little cost investment. This is a positive attribute for almost any business model, but that scalability factor makes virtualization harder to manage.
Virtual sprawl is a term associated with an expandable virtual environment. As some point, the number of virtual machines outgrows your ability to keep them all secure. It is easy to miss simple details like security patches when you are trying to manage a large number of virtual machines.
In a presentation for the 2015 Rootconf, the lead systems engineer for BrowserStack Aditya Patawaricalled called these “extra” virtual machines wildcards. BrowserStack suffered a breach when attackers used offline virtual machines to gain access to the company’s systems. Patawaricalled suggests you:
Effective management is the key to avoiding virtual sprawl. Incorporate the following routines into your operational plans:
With virtual servers, your potential for magnifying configuration defects is exponential. If the initial setup is full of security risks such as unnecessary ports, useless and risky services and other vulnerabilities, each virtual machine after that will inherit those same issues.
Poor virtual network configurations are a common problem for businesses. Ensure proper segmentation on any virtual applications that call the host, or the other way around, such as web and database services. Many virtualization platforms provide just three switch security configurations settings:
This ignores virtual systems that make connections to other areas of the network. Look closely at any virtualization platform that enables communication from guest to host and disable them when possible. This would include:
Fine-tune your system monitoring assets to watch for these communication pathways, as well.
This includes conducting system integrity checks and patch management. With the right controls in place, a virtual environment may be easier to manage than a physical one if done right.
Test security patches thoroughly and then follow a basic strategy for implementing and controlling them
Discuss native management offerings with your virtualization vendor but look at helpful third party tools, as well. They can scan for vulnerabilities and work as a separate control measure.
Risk assessment and compliance is a learned trait, so make sure your team is well trained when it comes to virtual security protocols. The end-user is one of the biggest security risks any company faces. Educate all users about virtualization security concerns and how to avoid creating vulnerabilities. Add additional training for risk management, compliance groups and auditors. Teach them to:
Virtualization provides expansion opportunities and scalability that is hard to find within a physical environment. Proper planning and consideration of security best practices will allow you to take advantage of a virtual infrastructure and still have peace of mind.