|
The prospect of increased agility and the increasing cost and complexity of IT has contributed to the rapid adoption of virtualization technologies. Virtualization makes it possible to build and deploy IT releases and changes into production faster and more economically than ever. Some virtualization experts claim that virtualized environments are fundamentally no less secure than physical environments. However, others claim that virtualization can enable better security. Who is correct? Both claims can be correct, but only under certain conditions.
Every day, information security practitioners live with the reality that they are a single change away from a security breach that could result in front page news, brand damage, or regulatory fines. These issues are clearly not confined to security, but impact business at the highest level. Consequently, security practitioners strive to implement IT controls to mitigate issues such as the risk of fraud, loss of confidential customer information, disruption of critical business services and data integrity, and inaccurate financial reporting. Security must be baked in from conception, not addressed later as an afterthought. But since virtualization is already here, what steps can we take to implement effective security controls? Where do we start, and in what order? And how do we do this in a way that creates value rather than the perception of information security creating bureaucratic barriers to getting real work done?
These are the types of questions that I’ve been trying to answer since 1999, when I started studying high performing IT operations and information security organizations. At this point, I can confidently say that I’ve seen the best and worst of information security. The high performing organizations I’ve studied consistently had the best security, the best compliance posture, the greatest ability to make changes quickly and successfully, and optimal efficiency.
In this paper, I describe seven practical steps that IT organizations can take to mitigate the unique security challenges of virtualization. While many of these steps are solid best practices that apply to both physical and virtualized environments, some are directed specifically at virtualized environments. Achieving a known and trusted state is a challenging task for even the most technically adept and processfocused organizations. Tripwire, the recognized leader of Configuration Audit and Control with over 6,000 customers worldwide, enables organizations to fully realize the benefits of both their virtual and physical environments by ensuring that the entire data center achieves and maintains a known and trusted state. Tripwire specifically addresses the security of virtual environments with CIS- and VMware-issued policies aimed directly at securing VMware ESX Servers, the hypervisor most used to virtualize machines. In addition, Tripwire® Enterprise integrates with critical systems—such as change management and asset management solutions—allowing us to maintain full visibility and control into the data center and any changes made to it.
The Unique Information Security Challenges of Virtualization
Every day, information security practitioners live with the reality that they are a single change away from a security breach that could result in front page news, brand damage, or regulatory fines. These issues are clearly not confined to security, but impact business at the highest level. Consequently, security practitioners strive to implement IT controls to mitigate issues such as the risk of fraud, loss of confidential customer information, disruption of critical business services and data integrity, and inaccurate financial reporting. Effectively balancing risk with controls is made even more difficult by the constant pressure on IT to respond quickly to urgent business needs. Most business functions now require IT in order to conduct operations. In fact, almost every business decision requires at least one change by IT—a trend that continues to grow. The resulting need for increased agility and the increasing cost and complexity of IT has contributed to the rapid adoption of virtualization technologies. Virtualization makes it possible to build and deploy IT releases and changes into production faster and more economically than ever before. Some virtualization experts claim that virtualized environments are fundamentally no less secure than physical environments. Others claim that virtualization can enable better security. Both claims can be correct, but only under certain conditions. The reality is that when information security controls are improperly implemented or neglected in virtualized environments, real security risks and exposures are created faster than ever. This is the potential dark side of virtualization, and the information security controls that adequately controlled risks before virtualization may no longer suffice.
|
