Tackling Virtualized Environment Security
Page 2 of 2
Although the current state of virtualization technology provides some isolation between applications, this may not last long, and IT "has to think about how these things move around and how to control that because any audit requiring them to separate applications and data from other applications and data will become a challenge," Lynch warned.
However, IT security cannot control VMs.
In the physical world, new technologies went through a "very rigorous process" in a laboratory where their impact on various aspects of the IT infrastructure was assessed, then they were moved out into a small deployment environment "to make sure nothing had been overlooked" then they were put into production, Lynch said.
Virtualization "came in through the back door as an operational tool then leapfrogged into an architecture so it never went through that vetting process" because its rapid return on investment sped up its adoption, Lynch said.
Security assessments of clients' virtual networks by Catbird, which provides a comprehensive security solution for virtual and physical networks, have already turned up some horror stories.
In its very first assessment, it found 20 virtual appliances running in its client's environment where the IT security team had expected eight.
Shocked, IT security went to the operations team and asked if Catbird had been looking at the correct ESX cluster of virtual hosts.
Because IT security has no idea what's being deployed in the data center, the compliance teams don't have a clue either, Berman said.
A Different point of view
Stonesoft, which makes integrated network security solutions, believes it's possible to control the virtualized environment by architecting the infrastructure properly and implementing appropriate policies.
"I was talking to someone who discovered 162 instances of Microsoft SQL Server running in their virtual environment that they didn't know were there," Stonesoft solutions architect Greg Mead told InternetNews.com.
To prevent that sort of problem, enterprises must write policies and configure firewalls "to allow pinhole communications where possible", whereby only the ports needed for communications would be open, and nothing else, he said.
Security News Solutions