Virtual Security: Keeping the Spinning Plates Aloft By Geoff Webb published: Tuesday, August 11 2009
David Spathaky holds a unique place in history as a
five-time world record holder for spinning plates. During a live television
performance in 1996, he managed to keep 108 plates aloft and spinning merrily. So
how do the challenges Mr. Spathaky faced with his 108 spinning plates compare
to those faced by security professionals today? As far as ensuring their virtual
environments are secure, there are five particular "spinning plates" of virtualization
that security professionals must balance to prevent catastrophe.
#1: New versus Existing Technology to Support
Virtualization Adoption
There is no doubt that the pace of virtualization adoption
remains relentless. According to recent research from Ted Ritter at Nemertes
Research, titled "Virtualization Security - Achieving Compliance for the
Virtual Infrastructure," some 40 percent of application workload now resides in
the virtual space; yet, virtual security technologies remain strangely absent
from the corporate infrastructure. The same report shows that more than 70
percent have no plans to deploy these specialized virtualization security
technologies in the near future.
Does this represent some form of mass complacency? Are
enterprise security teams really so blasé about the risks to their virtual
systems? Perhaps not. Instead, it seems they are far more pragmatic about
security; rather than adopting a slew of new technologies, businesses are first
leveraging their existing systems and applications prior to making new
investments. As a result, they are finding that extending the existing security
tools and practices to the virtual world is a pragmatic and cost effective approach,
provided that they can be relied upon in the first place.
#2: Keeping Pace with Rate of New Threats
The need to ensure the confidentiality, integrity and
availability of resources - especially data - has been the same since the
ancient Greeks began using simple ciphers to encrypt military intelligence. The
fact that data exists in a virtual world in no way lessens the pressure to
secure it, but it does introduce many new challenges. In today's climate, the rate
at which new threats develop and evolve is astounding, and such changes are
increasingly difficult to navigate as a result. If the deployment of, and
reliance upon, massive information technology infrastructure within business
processes has accelerated this evolution of threat, then the growth of
virtualization and cloud computing has the potential to mutate risks, threats
and vulnerabilities beyond all recognition.
#3: A Vanishing Perimeter
There is the commonly cited aphorism regarding defense in-depth
-that many layers of security are better than a single, perimeter defense. This
makes perfect sense until you apply it to a world in which the infrastructure
is changing so rapidly that there is no concept of "depth" at all. Layering
security from firewall to DMZ to increasingly trusted zones all sounds
sensible, but when all of the above reside within the same set of rapidly
moving virtual structures, there is no meaningful perimeter.
Worse, in the presence of an all-powerful hypervisor, the
software that manages and administers the virtual systems, the concepts of separation
of duties and defense in-depth have even less meaning and are harder to enforce.
#4: Single Point of Failure
While the security of the hypervisor remains a topic of
fervent debate, the mere presence of a single, trusted point of access to
everything invites the kind of sophisticated, targeted attack that has already
handily overcome most other forms of security technology at one time or another.
The very things that make virtualization so attractive to the business - its
ability to co-habit many systems on a single platform, the speed of response,
the flexibility and ease of deployment of new systems - are what make it such a
potential headache for security professionals.
#5: Change is the Only Constant
Change, along with complexity, is often the enemy of
security and if virtual infrastructures offer anything, it is the possibility
for rapid, unpredictable change. Security processes are often over-taxed at the
best of times, and virtualization simply accelerates the speed at which the
world moves, therefore increasing the speed at which the operational security
teams must respond. If organizations have been reluctant to deploy specialized
security tools for the virtual world, it is possibly because they are already
struggling to maintain security in the far more sedentary, pedestrian physical
infrastructure. Simply adding new, untested and complex security tools may not
help resolve the problem when the issue at hand is so much more basic: the need
yet inability to respond to the rate of change.
Automation: The Key to Balancing Virtual Spinning Plates
If there is a technological solution to this problem, it is
to be found in automating many of the day-to-day security and administration
tasks around virtual systems. Rather than have increasingly large numbers of
security professionals running faster and faster to respond to changing
systems, automated processes can begin to offer ways to accelerate incident
response and vulnerability remediation. These automated security processes can
identify which systems are vulnerable and where an attack is targeted, allowing
a quicker threat response time without the involvement of an administrator,
hopefully before any significant damage is done.
Without a more automated approach to response, security
teams are very much like the world-record holding Mr. Spathaky, locked in an
increasingly frantic race to keep up with these 5 "spinning plates" and more
while needing to work ever faster and faster. And, inevitably, security teams
will rapidly reach the point at which manual methods no longer scale to meet
the problem, with predictable, and sometimes catastrophic, results. To secure
the ever-changing virtual environments so prevalent today, preexisting tools
can certainly save both time and cost, but organizations also should consider
automation. By leveraging automation, security teams can aptly manage the
changes that come hand-in-hand with virtualization technology, allowing them to
continue to expand in the future without jeopardizing any of their spinning,
airborne plates.
Related Links:
NetIQ
 Geoff Webb, Senior Manager - Product Marketing, NetIQ
Geoff Webb has over 20 years of experience in the tech
industry. As a senior manager of Product Marketing at NetIQ, Webb is
responsible for the positioning, go-to-market strategies and sales enablement
of NetIQ's Compliance, Security Management and Configuration Control solutions.
Prior to joining NetIQ in 2007, Webb held management
positions at FutureSoft, SurfControl and JSB. Webb holds a combined bachelor of
science degree in Computer Science and Prehistoric Archaeology from the University of Liverpool, where he graduated with
honors. He is also a member of both the Information Systems Security
Association and the American Marketing Association.
|
