Software
News
10/6/2011
12:15 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Virtualization Security Checklist

Take these 4 steps to improve the security of your virtualization infrastructure.

What's the most dangerous threat to your virtualized systems? Hint: it's not the latest zero-day exploit. The most pressing risk is IT staff who have full privileges in these systems.

Take the February 2011 attack by an IT employee who'd been laid off from a pharmaceutical company. The ex- employee logged in remotely and deleted virtual hosts that ran the company's critical applications, including email, financial software, and order tracking. The company sustained about $800,000 in losses from a few keystrokes, the FBI says.

We're not saying your administrators will go rogue, but our September 2010 survey on virtualization security found that access to virtualization systems is fairly widespread: 42% of respondents say administrators have access to guest virtual machines. It only makes sense to take precautions, such as security monitoring, so that one person, whether maliciously or inadvertently, doesn't bring down critical apps and services.

Virtualized systems make it harder to manage risk, but sensible security practices still apply. Here are four steps to help you protect virtual assets and respond to threats and incidents.

1. Secure Layers

Virtual environments are made up of layers, so you'll want to implement security controls at each layer within the virtual architecture, including controls that you already have in your environment. For example, at the virtual switch layer, redirect traffic out to a firewall or an intrusion prevention system to monitor traffic. Alternatively, use a virtual firewall within the VM cluster.

The primary virtual layers to address include the hypervisor and guest operating systems, the virtual network that connects VMs, the physical network, the virtualization management system, and physical storage of VM images.

2. Define And Document

You can't place security controls around elements you don't know are there. Thus, it's vital to have accurate, up-to-date information on your virtual environment. That means being able to identify the components in your virtual infrastructure. Make sure you document the primary functions of these components and their owners and administrators.

It's also critical to understand how data traffic flows through your infrastructure, because the type of data will determine which controls are needed. For example, most companies take extra steps to secure virtual database servers that store critical business data. However, your backups also have copies of this confidential data. Track data flows from start to finish to identify critical areas where additional security measures are needed.

How concerned are you about security?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.