The scary side of virtualization

After pushing forward with server virtualization, some IT executives are rethinking the security implications

1 2 3 4 5 6 Page 5
Page 5 of 6

Failure to implement best practices, or to establish a clear separation of duties in virtual infrastructure, is at the source of a problem that's all too common, says RSA Security's Mulé. "Folks still today don't like to practice segregation of duties. They give the crown jewels to a small number of people." He recommends developing a strong change management process that includes issuance of change management tickets. "Don't run things in a bubble," he warns.

Condit agrees. "In the virtual world, there is no inherent separation of duties, so you have to build that in," he says. Change management, configuration management and asset control are vital to securing the virtual infrastructure.

Compliance is another concern. As director of systems engineering at the Council of Europe Development Bank, Jean-Louis Nguyen needed to monitor activity to ensure that the administrators of 140 virtual machines were in conformance with regulations and management requirements. The bank tried using VMware's logging capabilities but needed a better way to consolidate the information. "Getting at those logs was nontrivial," he says. He ended up using a dedicated tool from HyTrust that provides a central log of all activity.

The bank also used HyTrust to set up a completely segregated virtual environment for the chief security officer, who has total control over the physical and virtual infrastructure that undergirds security-related software. The CSO can monitor all production virtual servers and the configurations but can't make any changes. "It was very complicated to set that up in ESX," he says.

"The key is to ensure your management that there's no administrator abuse. We needed to be certain that we're administering systems and not peeking into the data," Nguyen says.

Other tools can layer on more control. For example, start-up Catbird Networks offers a policy management tool suite that can both alert the administrator to policy violations and quarantine any virtual machine that breaks the rules. "You need to know where a virtual machine goes and what it is doing when it gets there. If you don't like what it's doing, you have to be able to stop it," says Tamar Newberger, a vice president at Scotts Valley, Calif.-based Catbird.

At Rent-a-Center, extra tools weren't needed: A strong check-and-balance policy was enough to satisfy management's needs. The company's security director "put a process in place that says we cannot put a server into production until his team has signed off on it," says Chanani.

"Do you need a controlling piece of technology in place? No. But do you need good governance and monitoring? Absolutely," RSA Security's Mulé says.

1 2 3 4 5 6 Page 5
Page 5 of 6
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon