Executive Viewpoint: Tom Ashoff, Sourcefire By Tom Ashoff published: Tuesday, December 23 2008
2009 will be
a year for virtual security.
2007 was a
breakout year for virtualization, where companies discovered the economic and
organizational benefits in building out a virtual infrastructure. According to a
survey conducted by Symantec in late 2007, 90 percent of the survey respondents
have implemented or are considering virtualization for their data centers, and
50 percent have actually implemented it. Virtualization projects range from
server consolidation and disaster recovery to the simplification of
provisioning for desktops and associated applications.
2008 has been a
year where organizations are digesting their purchases of virtualization
products and are only now starting to realize the management challenges
virtualization provides. Only a relatively small number of respondents to an
Enterprise Management Associates survey published last April thought that
virtualization made management tasks more difficult. According to the author of
the survey, however, it is likely that the respondents underestimate the
difficulties and are likely to change their response in the next year or so. Everything
from performance and capacity management to troubleshooting and security
administration becomes more difficult in a volatile, multilayered and often
heterogeneous virtualized environment.
In
the midst of dealing with the complexity of managing virtual networks,
organizations have not paid sufficient attention to security. According to
Stephen Elliott, IDC's research director for enterprise systems management
software, "We're finding security is the forgotten stepchild in the
virtualization build-out. That's scary when you think about the number of
production-level VMs." IDC research indicates that 75 percent of companies with
1,000 or more employees are employing virtualization today.
Historically,
the security market has been driven by the occurrence of well-publicized
attacks or incidents, such as various computer worms
(Slammer, Storm, Nimda, etc.), the theft of consumer credit card data from Hannaford, or the theft of a Veterans Administration
laptop containing personal data for millions of veterans. This negative
publicity created a greater sense of security awareness, which in turn led to
more stringent regulatory requirements for
security.
Because of the
lack of attention paid to securing virtual networks, there is a distinct
possibility that the first public security breach related to virtualization
policies or technologies will take place in 2009, which will lead to even more
scrutiny of security in virtualized environments. As a result, in 2009,
security will take center stage with security professionals playing a larger
role in auditing their virtual environments and making the necessary
architectural and policy changes.
Compliance will
also play a much larger role for virtualization in 2009. Until now, auditors
have not played a large role in inspecting virtual networks to ensure they meet
regulatory requirements. The Payment Card Industry's
Data Security Standard (PCI-DSS) was recently updated on October 1, 2008, from
version 1.1 to 1.2 and includes no provisions to secure data in virtualized
environments. However, as virtualization becomes more prominent and
auditors become more familiar with this technology, this will change. At some
point we can expect that virtualization will explicitly be mentioned in
standards such as PCI-DSS and organizations will either have to make changes to
meet compliance requirements, or determine how to satisfy requirements with the
architectures they have selected.
For example, one
key area where virtualization may affect PCI-DSS is network
segmentation. The current PCI standard encourages companies to isolate
their payment systems in a separate, secure network to decrease their exposure.
Unfortunately, it is not clear whether two virtual
machines (VMs) in the same physical host can be considered to be
properly segmented. Therefore, defining and enforcing true segmentation between
VMs will be an important topic in 2009. This discussion may strengthen the
business case for virtual firewalls and intrusion
prevention systems (IPSes) because these devices can more effectively
enforce segmentation between VMs.
As
virtualization begins to reach maturity within the enterprise, organizations
will have to address a bevy of security-related issues. In order to effectively
protect their environments from the threats VMs are subject to, organizations
must view security as a process, not a technology or product. With this in
mind, a number of best practices can help mitigate the security risks that may
be created when an enterprise implements virtualization:
- Apply
standard security practices to VMs as if they were physical. These include antivirus and antispyware
agents, configuration control, and vulnerability scanning.
-
Segment
VMs by the data they contain. Do not combine VMs containing sensitive data with
VMs designated for QA or testing, for example.
-
Enforce
isolation between network segments. Do not combine VMs in the same host if they
are connected to network segments at different trust levels.
-
Guard
against VM sprawl by maintaining an inventory of VMs and the physical host they
reside on. All migrations should be
documented and subject to a configuration control approval process.
It is likely
that regulatory pressure will begin to emerge and that auditors at some point
in the not too distant future will require organizations to address the
potential risks caused by virtualization. In the midst of this environment, IT
security professionals need to support best practices with tools that can help
them do their jobs effectively. They need visibility into their virtual
infrastructure, tracking where VMs reside, where they move to, and what other
hosts they are communicating with. They also need a means of applying the
proper security processes to their VMs, providing the same level of security to
their virtual infrastructure that they do to their physical
infrastructure.
If
we are to truly benefit from the promises of virtualization, security must come
to the forefront in 2009. Best practices and tools that offer a holistic
approach for managing both physical and virtual network security are the
answer. With this in mind perhaps industry can finally break the cycle of
having a major and quite public security breach open our eyes to the need for
security in the virtual environment.
Related Links:
Sourcefire
All Executive Viewpoint Article
 Tom Ashoff
joined Sourcefire in April of 2003 as Vice President of Engineering. Tom is
responsible for the company's engineering infrastructure and processes as well
as executing Sourcefire's aggressive product development roadmap.
Prior to joining Sourcefire, Tom was Vice President, Strategic Product
Engineering at Network Associates Laboratories, Network Associates' (McAfee)
Technology Research Division, where he directed strategic research efforts for
the company. Earlier in his tenure at
Network Associates, Tom was the Vice President of Engineering for PGP Security,
a business unit of Network Associates. Tom
joined Network Associates through the acquisition of Trusted Information
Systems (TIS) in 1998. At TIS, Tom was the Senior Development Manager for the
Gauntlet Firewall and VPN products. Prior to TIS, Tom developed software for
GTE Spacenet, Contel ASC, HRB Singer, and the National Security Agency.
Tom holds a B.S. in Computer Science from the University of Pittsburgh.
|
