This page contains a Flash digital edition of a book.
I


n a tough economy, managing costs be- comes the buzz word of the day and for many business owners and executives, not to mention IT network, managers and ad- ministrators, it’s hard to ignore the efficien- cies of a virtualized server environment. On the plus side, there are proven ad- vantages: lower costs, less overhead, fewer hardware headaches, better disaster re- covery advantages, flexibility and scala- bility; while on the downside, there is one major concern: security.


The truth of the matter is that virtual en- vironments need a little more work and vig- ilance to protect and there are concerns that once inside a virtual system, malware or maleficent intruders can hack away un- detected.


Less than 18 months ago, Neil Mac- Donald, vice president at Gartner, flagged the trend to virtualization, saying in the rush to free themselves from the main IT struc- ture, many organizations would be remiss if they let their security policies weaken through benign neglect. In fact, Gartner pre- dicted, based on data at the time, that through 2012 some 60 per cent of virtual- ized servers would be more vulnerable than the physical servers they usurped. “I think there’s better ongoing awareness of security issues associated with virtual- ization,” says MacDonald, looking back on that report. “I think, today, the vendors have matured, and right conversations are being held.”


Still, there are some serious issues with a virtualized environment that differ from a physical one. Here are the top five security concerns Canadian companies should be thinking about before and when they delve into virtualization:


• DON’T GET HYPNOTIZED BY THE COST SAVINGS: As MacDonald notes, the pru- dent move is to put some of the savings into enhanced security measures since no amount of cost savings will justify the expense of a security breach. Despite the improvements, MacDonald’s words from 18 months ago are still a guiding light: managing the hypervisor and virtual ma- chine monitor, that new layer of software which differentiates virtual from physical, is tantamount because a breach here could compromise all operations inside the virtual machine. Furthermore,


WWW.SECURITYMATTERSMAG.COM


Gartner cautioned at the time – and it is still worth bearing in mind today — that relying on host-based security controls for protection is a mistake.


Robert Beggs, founder of Digital De- fence, a cyber-security company based in the Toronto area, says cost savings aren’t everything. “There’s an anticipation that there are cost savings and that if you take an inse- cure version of software like Windows NT4 and put it on secure virtual carrier all of a sudden its going to make it all secure – and that’s not true,” he says. “You’re putting all your easy-to-detect eggs in one basket.”


• NEW TECHNOLOGIES NEED NEW TOOLS: Gabriel Consulting Group (GCG), in partnership with McAfee, recently re- leased a survey of IT managers that in- cluded a section on virtualization. It found a shocking 70 per cent were “using the same tools to secure both physical and virtualized systems.” The issue, however, is that modified solutions aren’t, the best idea. Of course, not many security suites are optimized for virtualized systems. “We’d think that there must be some vir- tualization features (like partition mo- bility) that need special treatment from a security perspective,” GCG commented. Going back to Gartner’s initial warning, the seemingly blasé approach reflected in the GCG report is alarming. Indeed, GCG quotes Gartner: “Network-based security devices are blind to communications be- tween virtual machines within a single host; and when physical servers are com- bined into a single machine, there is risk that system administrators and users could gain access to data they’re not al- lowed to see.”


• TALK EARLY AND TALK OFTEN: Not surprisingly, one of the biggest issues in the trend to virtualization was the lack of communication with the organization’s security team. As MacDonald notes, that conversation is happening at the outset more often than not these days, but it’s still a critical component. Knowing the vulnerabilities from a security standpoint means being able to create gates inte- grated into the platform.


As MacDonald notes, the vendors have gained positive traction in the past year


alone. The evolution of newer tools from vendors is closing the door on many of the vulnerabilities of virtualization, says Rodney Rock of VMware.


“With regulatory scan of 80 security policies you can set the virtual machine to flag and lock down anything automat- ically,” he adds.


This gives administrators time to in- vestigate the issue, declare it benign, or quarantine it as a threat. Similarly, data packets can also be scanned with a se- curity algorithm to flag suspicious activity. “The goal is to eliminate those blind spots,” Rock says.


• THE VIRUS CREATORS ARE SMARTER THAN YOU THINK: Viruses aren’t dumb. They’re now programmed to think in a vir- tual environment, which is bad news for security-on-the-cheap practitioners who would simply shut down a machine if a threat was detected and fry everything to cyberdust. Targets for malware include virtual machine workload, including the OS, apps and data, APIs controlling virtual machines, which may communicate with other IT tools, and the hypervisor. John Burke at Nemertes Research told a conference in Boston, Mass., earlier this year that too many IT managers are completely unprepared for this kind of emerging threat. The biggest issue is that “it hasn’t happened yet,” he said, which should ring more than a few alarm bells. In the trade-off between security and efficiency, he says, too often opti- mism wins over the pragmatists. His suggestion: audit, audit, audit.


• THE NEXT FRONTIER: For Rajneesh Chopra, Cisco product line manager for network security and management, the evolution of virtualization is a series of milestones, with more to come. One much-anticipated milestone is interoper- ability. As Gartner’s MacDonald notes, there’s still a challenge of having different platforms connect with each other in a virtual world, especially around security. “It’s a journey,” he remarks. “There are some miles to go, but we have passed some significant milestones already.”


Ian Harvey is a freelance writer in T FOLLOW US ON AND oronto, Ont. • SECURITY MATTERS 15


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28