The challenge arises when the network and security teams discover that they've lost a good deal of the security visibility and operational control they once had, since both the network and hosts are virtualized on a single platform operated by the server administrators. This makes compliance, competencies and separation of duties trickier.
To ensure virtual security, work with your customers to address policies, procedures and responsibilities across server administration, network and security teams before you start deployments. This will limit the operational impact of virtualization.
Further, virtualization adds complexity that extends beyond management and provisioning, and changes the attack surface of your server and workstation deployments. Until security technology catches up with the virtualization vendors and tools become better integrated with the underlying virtualization infrastructure, recommend the following basic virtual security guidance to your customers:
- Follow the virtualization vendor's virtualization security hardening recommendations, paying strict attention to management and security settings.
- Harden virtual hosts by using the same processes, procedures and technologies you would employ on a physical server.
- Isolate virtual hosts in physically or logically segmented networks to prevent attackers from leapfrogging to traditionally secured physical hosts until you are comfortable with the impact virtualization has on security and networking.
- Group virtual machines that interact with one another on the same host using properly allocated virtual switch(es) to optimize performance and security.
- Perform a risk assessment that demonstrates clearly that the business understands what consolidating critical service infrastructure means to service levels, availability, business continuity planning and disaster recovery.
- Take into consideration that licensing models for security applications are still evolving in the virtualized world.
The best discussion to have with clients about virtualization is how to balance the business benefits with the potential operational, architectural and security changes, and be honest about how that will impact the organization.
This was first published in April 2008