5 tips to audit and improve virtual server security
On the surface, security
questions surrounding virtual servers don't seem much different than those
for the physical machines on which they run. In fact, starting a virtual security
audit by keeping in mind what you've already learned in the physical world is
an excellent approach. Security analysts say the same practices, principles
and basic common sense apply for a group of virtual servers as for any physical
server farm. But, IT managers also need to factor in some additional considerations,
due to the unique characteristics of the virtual world.
One example: software can be deployed so much more quickly using virtual machines
that some steps in the typical provisioning process may have been eliminated,
says Paul Love, director of information security at Standard
Insurance in Portland, Ore. That, in turn, requires IT departments to make
sure the necessary controls and oversight are in place, with the truncated time
frame in mind.
"With virtual machines, it's very helpful to pay attention to the actual
configuration of the system," Love says. "You need to really have
a stable build so that when you deploy a thousand versions of it, they all meet
management's requirements for what controls should be in place."
When Love's team audits security for its virtual server environment, it doesn't
introduce new steps so much as extend the ones it already has for physical servers,
Love says. That includes looking at the interactions among systems and ensuring
that the operating system on which the virtual machine runs is secure and encounters
no "configuration drift."
"We have to work very closely with change management," Love says.
As background research for auditing and improving your virtual security, you
may want to consult guidance for securing virtual server environments that's
available from the Center
for Internet Security, the Defense
Information Systems Agency and virtual server leader VMware.
"They [IT leaders] need to read these guides and come up with a summary
set of lock-down and hardening policies that are customized for their environments,"
says Nand Mulchandani, senior director of product management and marketing at
VMware.
"If you just do that one thing, you will be vastly more secure and safe."
Virtual security tools can also help, but analysts warn clients to first consider
the products they already use before buying new ones specifically designed for
virtual servers. There are already 10 to 15 vendors offering VM-specific security
tools, and that figure will probably rise to 30 by year's end, says Chris Christiansen,
an analyst at IDC (a sister company to CXO media).
Consider this five-step checklist when securing a virtual server environment:
1.
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
