Securing Information Assets in a Virtual World
Some Things Never Change
As long as there have been computer administrators, there have been users who generate data, need support and have computer related problems. These challenges have been elevated due to today’s fast paced, dynamic and evolving IT environments, which are becoming increasingly virtualized.
Virtualization has started a race between producers and consumers of data to deliver or access information as rapidly and as simply as possible. This puts pressure on IT organizations to deliver hardware, software, and security infrastructures to match these ever growing demands.
The challenge is that these “ASAP all the time,” demands can lead to lack of oversight and thus weaken security plans, short-cut business processes and increase points of vulnerability.
Security in Layers
With all these rapid requests for data, databases, application servers, etc, IT network operational staff and administrators must still provide the best security possible. Maintaining layers of security is still vital and should not be overlooked just because the environment in question is virtual.
Virtual Doesn’t Mean Non-Critical
Critical services are increasingly provided by virtual servers, yet many administrators are guilty of saying “It’s just a virtual server.” or “It’s virtual so I can recover. No problem.” Yet that virtual server may be providing services like SharePoint, Exchange, Backup Servers, Databases and more. It shouldn’t go down, it’s key.
How Many Layers?
Since some things never change, here are some things we still need to worry about in our virtual infrastructures:
Vitualization is a Double-Edged Sword
Along with these layers, virtualization platforms provide tools that aid in securing the platforms which should be employed whenever possible. One major addition to these layers are custom tools from each provider such as Microsoft Best Practices Analyzer or VMware Security Server to identify holes in the layers allowing administrators to implement fixes or workarounds.
Taking control of virtual environment security can be easily achieved with current tool sets and enhanced further through capabilities native to the virtualization platform. Failing to use the standard security practices or enhancements provided by these virtualization engines will easily undermine all security process and procedures, resulting in holes in security.
In summary, here are a few “dos” and “don’ts” to keep in mind when securing virtual environments:
Do: Use layered security in virtual environments
Do: Use built-in security tools in virtual environments
Do: Use virtual switch configurations and VLANs
Do: Backup your virtual environments
Don’t: Sacrifice security to deploy virtualization
Don’t: Neglect virtual infrastructure