Over the past three years server virtualisation has made it from hype cycle to the mainstream while desktop virtualisation is one of today’s hot technology trends. Despite the rapid acceptance of virtualisation, few organisations have given thought to the security implications of deploying the technology.
In many cases, virtualisation changes the rules of the security game and organisations need to adapt their security strategies accordingly. There is a common belief that security is simply not an issue, because all virtualised servers reside deep inside an organisation’s network, and are therefore automatically protected by existing security devices. However, virtual platforms create radically different and more dynamic relationships between IT resources compared to those found in traditional computing environments, and this has an impact on network security.
There are a number of important security considerations organisations should be thinking about if they have or plan to adopt virtualisation.
Consideration 1: Do your research and be clear on what virtualisation actually is
Virtualisation security is gradually being better understood as more and more incidents of security breaches come to light and specialised security products are developed. However, combined with the continuous need to meet stringent regulations or compliance guidelines, means it is beginning to creep to the top of the network manager’s priority list.
When talking about virtual security, the first important consideration is to define what is meant by a virtual environment, as this will define the types of threats posed to the network. A virtual environment is everything that directly or indirectly touches the virtual host. The components of a virtual environment include, but are not limited to, management tools, backup tools, storage and both virtual and physical networking. Not properly defining a virtual environment can lead to organisations overlooking a key security issue and compromising the entire network.
Consideration 2: Get the IT security team involved from the word go
The most common motivation for a virtualisation project is cost saving, coming from server consolidation. The project is typically managed by server administrators, who in many larger organisations are separate from the IT security team, and the security team are engaged late in the project.
This scenario can lead to security becoming overly complicated as security is retrofitted onto the networks. Yet complex solutions and procedures actually decrease security effectiveness by increasing the possibility of configuration mistakes. A recent Gartner report shows that more than 99% of security breaches are caused by misconfiguration.
Simplicity is one of the most important principles in security so organisations need to ensure that they include the security team throughout the implementation process.
Consideration 3: Physical security appliances will leave you blind in the virtual world
Virtual environments are part of the internal network and vulnerable to security threats, so need to be as adequately protected as the rest of the internal network. Traditional physical security appliances such as firewalls have a major disadvantage in that they cannot see inside the virtual environment. Physical security appliances can see every packet that enters or leaves the virtual environment but they cannot see the traffic that resides within. In other words, if one virtual machine is infected this can spread throughout the whole of the virtual network without physical security devices detecting it.
No matter what your security strategy is in the physical world it should be replicated in the virtualised world. If you have internal firewalling between applications, and between network segments, and you start virtualising applications and network segments or even collapsing data centres as some of the hosting companies are doing, then you need to take all of the security with you into the new virtualised environment.
Consideration 4: Be aware of VLAN tagging
Physical security appliance vendors claim that you can extend the virtual network outside the virtual environment by using VLAN tagging. This is technically true, but very often a cumbersome way to obtain visibility into the virtual network. Management of the different VLANs becomes very complex, this complexity leads to errors, which ultimately leads to insecure systems.
Consideration 5: Virtual environments need virtual solutions
Those organisations that are ahead of the game are implementing firewalls and IPS directly into the virtual environment. They are using solutions that are specifically designed for protecting virtual networks. This enables them to have direct visibility into the virtual machines and protects the virtual environment from within. Virtual security appliances can be placed anywhere inside the virtual environment and this added flexibility helps protect even the most complex of virtual networks.
Businesses need to keep security at the forefront when implementing virtualisation strategies. Network security threats will be significantly reduced if businesses can ensure that the virtual environment is part of the overall network architecture and enforce consistent security policies throughout its networks. Only by taking these considerations seriously will businesses be able to benefit from this innovative technology without exposing themselves to unnecessary risks.
Ash Patel is the UK & Ireland country manager for Stonesoft