Five Fundamentals to Secure Virtualization

As channel partners look to help their customers roll out new virtualization projects, some of the top objections they’ll encounter before installing a greater density of virtualized infrastructure revolve around security.
According to a new survey released at VMworld this week by Sunnyvale, Calif.-based Centrify, security is the leading roadblock to virtualization, with 46 percent of respondents reporting security as the most likely cause for a virtualization adoption slowdown. Only about 20 percent of respondents reported strong confidence in the security of their virtualized data centers.

The major players in virtualization are cognizant of the security conundrum. In fact, security is such a bugaboo that EMC recently put together a panel of experts from its VMware, Ionix and RSA divisions to come up with some guidelines for securing virtualized environments. The result was a report released this week, Security Compliance in a Virtual World, that outlines five best practices necessary to mitigate risks when virtualizing the environment. Channel Insider examines these five points and how they relate to the channel.

Platform Hardening

Just as your clients need to harden the configuration of their physical boxes, network switches and appliances, they also need to securely set their virtual machines and virtual switches in the same fashion. Not only that, but the administrative hypervisor also needs to be hardened. This includes patching regularly, uninstalling unused components and configuring secure settings.

“Hardening checklists for virtualization platforms are available from several sources,” the report notes. “Organizations should work with internal and external auditors in selecting the right hardening guide for their organization.”

The report recommends guidelines from Center for Internet Security (CIS) and the Defense Information Systems Agency (DISA) as good established best practices to model after.

Channel partners that skill up their practitioners to understand standards such as these and the general principles behind hardening will greatly benefit their customers and lend themselves an edge in virtualization project bake-offs. Offering to develop and enforce hardening guidelines is an excellent value add to layer on top of virtualization integration, implementation and administration.

Configuration and Change Management

Because virtualization technology makes it so easy to provision new virtual machines, move them around and change their set-ups, it is very easy to devolve into a state of configuration and change management chaos when it comes to maintaining the environment.

Even when virtualization systems are properly hardened upon install, organizations must remain vigilant to maintain that baseline of secure configuration.

“As changes occur, such as new software is added or system settings are changed, a good change management process ensures that a virtual system continues to meet the ‘gold standard,’ and that any changes made are limited to authorized changes,” the report says.

This presents the channel a tremendous opportunity. VARs should look for every opportunity to up-sell customers with run-of-the-mill virtualization projects to the right automation and configuration management tools necessary to control the chaos. Service providers and consultants can also find the situation ripe for the sale of change management policy development, auditing and remediation.

Administrative Access Control

Sound security principles like the rule of least privilege and separation of duties don’t just get thrown out the window when organizations virtualize their systems. In fact, they become more important than ever, because when virtualized the increased density of systems and applications on a single physical box can make it all the easier to control more systems in one fell swoop if proper access control is not maintained.

“Careful separation of duties and management of privileges is an important part of mitigating the risk of administrators gaining unauthorized access either maliciously or inadvertently,” the report notes. “Depending on the sophistication of the virtualization software, it is possible to define specific roles and granular privileges and assign those to individual administrators.”

Solution providers should assist their customers in understanding the importance of role-based access control within and outside of the virtualized environment. As a trusted partner, it is your job to do the homework for a customer and help them choose a solution that allows for the finest grained access control possible. The channel can also play a consultative role for less mature organizations, offering the expertise necessary to execute the mapping of access right policies against organizational roles.

Network Security and Segmentation

Organizations with massive hunks of virtualized servers lacking any kind of segmentation are at far greater risk of exposing sensitive information than those who use virtual switches to group virtual machines into their own virtual LANs similar to their physical counterparts.

“One of the important aspects for compliance is making sure machines that process protected information are isolated so that the data is not co-mingled or accessible through other machines,” the report explains. “A virtual network is similar to a physical network except that it is embodied in software within the virtualization platform and not in hardware.”

Channel partners with network security expertise should leverage it within the virtualization space by partnering with networking and security vendors who offer virtual switches, as well as virtual security offerings such as virtual firewalls and virtual IDS/IPS.

Audit Logging

Even with a sanely configured and segmented pool of virtualized infrastructure, your customers still need to appease the auditors with proof that they’re doing the right thing. Organizations need to have the tools and automation in place to correlate activity within the virtualized infrastructure with all other activity across the physical IT milieu.

Experts recommend importing virtual system log data into the overall security information and event manager (SIEM) in order to facilitate that connect-the-dots mentality.

“For example, consider that an administrator moved a virtual machine from one server to another,” the report says. “This event can be correlated to other events and show that the administrator logged in over the VPN at four o’clock in the morning, incorrectly logged into four servers, and then logged into the virtual system to make this change.”

Channel partners who assist customers in accomplishing this security correlation will not only improve the overall situational awareness of these organizations, but also greatly improve their chances when the auditors come clipboard-in-hand.