Tackling Virtualized Environment Security

As enterprises gallop ahead towards virtualizing their IT infrastructures, security and compliance issues are going to slow them to a crawl.

That’s because virtual environment security is nothing like security in the physical environment.

Security measures in the physical environment are based on the servers being fixed, having a constant identity, and being easy to check on, but the virtual environment is always fluid, always changing and difficult to get a handle on.

Worse still, the tools and processes that ensure security in the physical environment just don’t work in a virtualized one.

“The existing tools for remediation, discovery and so on aren’t for the virtual world,” Chris Farrow, director of product strategy at virtualization policy management vendor Fortisphere, told InternetNews.com.

“They don’t understand the virtual architecture is dynamic, virtual machines can be turned on or off, and typical scanning and provisioning tools don’t understand the concept of machines being able to migrate on the fly, an entire machine that you can capture on a thumb drive,” he explained.

“They expect a box that’s on 24×7, is always sitting on a rack somewhere and not dynamically changing its identity and nature or being moved easily from one host to another.”

The procedures for regularly assessing the IT environment, finding out which boxes are running what software, for patch management and for provisioning are “great for the physical world, but not for the virtual world,” Farrow said.

“You can have a physical box with 20 virtual machines (VMs) on it talking to each other all day long and there’s no way to get inside the network and find out what’s going on, so all the tools people have bought over the last 10 years or so have to be re-instrumented.”

There are three facets to the problem, David Lynch, vice president of marketing at Embotics, told InternetNews.com. These are the loss of identity; mobility; and the loss of control by the IT security team.

In the physical world, a server is identified in the environment by its physicality — the rack or row number, or something associated with the physical machine — and, when it’s virtualized, “you, in essence remove its identity,” he said.

To make things worse, cloning a virtual machine results in several identical copies, and that creates system management, maintenance and updating problems because it’s difficult to identify and differentiate the various clones of a VM from one another.

Adhering to compliance

Ensuring VMs are adhering to compliance and separation rules is also difficult because VMs are highly mobile, and can be migrated automatically to a different physical server if the resources of the one they’re on are inadequate.

For example, an enterprise’s human resources systems or credit card systems could end up running on a server where they could be potentially accessed by a Web server application when the VM they are running on is kicked over automatically to a new physical server.

Consolidation, which is the main reason corporations opt for virtualization, can also lead to this problem because “you might have had separate VLANs (virtual local-area networks) and segments for different kinds of data — customer data, credit card data and so on — but when you consolidate 20 physical servers into a single ESX host, all that data is on the same virtual switch so, more often than not, your data and network segmentation are lost,” Michael Berman, Catbird’s chief technology officer, told InternetNews.com.

Page 2 of 2

Although the current state of virtualization technology provides some isolation between applications, this may not last long, and IT “has to think about how these things move around and how to control that because any audit requiring them to separate applications and data from other applications and data will become a challenge,” Lynch warned.

However, IT security cannot control VMs.

In the physical world, new technologies went through a “very rigorous process” in a laboratory where their impact on various aspects of the IT infrastructure was assessed, then they were moved out into a small deployment environment “to make sure nothing had been overlooked” then they were put into production, Lynch said.

Virtualization “came in through the back door as an operational tool then leapfrogged into an architecture so it never went through that vetting process” because its rapid return on investment sped up its adoption, Lynch said.

Security assessments of clients’ virtual networks by Catbird, which provides a comprehensive security solution for virtual and physical networks, have already turned up some horror stories.

In its very first assessment, it found 20 virtual appliances running in its client’s environment where the IT security team had expected eight.

Shocked, IT security went to the operations team and asked if Catbird had been looking at the correct ESX cluster of virtual hosts.

Because IT security has no idea what’s being deployed in the data center, the compliance teams don’t have a clue either, Berman said.

A Different point of view

Stonesoft, which makes integrated network security solutions, believes it’s possible to control the virtualized environment by architecting the infrastructure properly and implementing appropriate policies.

“I was talking to someone who discovered 162 instances of Microsoft SQL Server running in their virtual environment that they didn’t know were there,” Stonesoft solutions architect Greg Mead told InternetNews.com.

To prevent that sort of problem, enterprises must write policies and configure firewalls “to allow pinhole communications where possible”, whereby only the ports needed for communications would be open, and nothing else, he said.

News Around the Web