The challenge arises when the network and security teams discover that they've lost a good deal of the security visibility and operational control they once had, since both the network and hosts are virtualized on a single platform operated by the server administrators. This makes compliance, competencies and separation of duties trickier.
To ensure virtual security, work with your customers to address policies, procedures and responsibilities across server administration, network and security teams before you start deployments. This will limit the operational impact of virtualization.
Further, virtualization adds complexity that extends beyond management and provisioning, and changes the attack surface of your server and workstation deployments. Until security technology catches up with the virtualization vendors and tools become better integrated with the underlying virtualization infrastructure, recommend the following basic virtual security guidance to your customers:
- Follow the virtualization vendor's virtualization security hardening recommendations, paying strict attention to management and security settings.
- Harden virtual hosts by using the same processes, procedures and technologies you would employ on a physical server.
- Isolate virtual hosts in physically or logically segmented networks to prevent attackers from leapfrogging to traditionally secured physical hosts until you are comfortable with the impact virtualization has on security and networking.
- Group virtual machines that interact with one another on the same host using properly allocated virtual switch(es) to optimize performance and security.
- Perform a risk assessment that demonstrates clearly that the business understands what consolidating critical service infrastructure means to service levels, availability, business continuity planning and disaster recovery.
- Take into consideration that licensing models for security applications are still evolving in the virtualized world.
The best discussion to have with clients about virtualization is how to balance the business benefits with the potential operational, architectural and security changes, and be honest about how that will impact the organization.
Related Q&A from Christofer Hoff
Learn why companies that place too much emphasis on security regulatory compliance run the risk of neglecting a full-orbed structured assessment ...continue reading
Data leakage prevention (DLP) has become a feature of much larger information-centric lifecycle management suites of large companies with expansive ...continue reading
Learn why the upcoming changes to the Payment Card Industry Data Security Standard (PCI-DSS), designed to prevent further corporate data breaches, ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.