In 2007, one of the biggest questions about virtualization in data centers was, ' How much money and how much time is needed to protect us in this regard? . In 2008, the big question would be, ' How safe will we be? . It is a very difficult question to answer. Turn around firms and advisers in this area. Some security researchers are exaggerating theoretical risks such as the emergence of malware that can target virtual computer control programs (a threat that has yet to appear in the real world). . " There is a lot of talk about this virtualization problem and it may be confusing ," said Chris Wolf, an analyst with market research firm Burton Group.
As fueling the fire in exaggerating this truth, many IT organizations say they have prioritized operating speeds over other coefficients, including security planning, when they started. creating hundreds of virtual machines (VMs) in 2007. (That is absolutely not surprising, when you think that most businesses have started with virtualization on application development computers and their testing, not for servers running in critical applications).
' We think security will be an omission in virtualization.It's crazy when you think about the number of virtual machines at production level , 'said Stephen Elliott, IDC's director of enterprise management software for business systems. According to IDC data, up to 75% of companies with more than 1,000 employees are deploying virtualization technology today.
' And as of 2009, about 60% of virtual computers operating in production will be less secure than physical computers, ' said Gartner, vice president of Neil MacDonald in a statement. in October 2007. However, many discussions about this virtual technology security issue show that there are many shortcomings, security expert Chris Hoff said, he also explained because people often create a discussion by asking See if virtual servers are more secure or less secure than physical servers.
That's a completely wrong question, Hoff says, his blogs often show the subject. The right question for the present time should be raised as' Are you applying what you know about security to your virtualization environment? '
' People often fall into theoretical problems . when there is a clear trend in what can be done today, ' Hoff added. Obviously, virtualization has led to some new security issues, but the first things are ' We have to be realistic.Make sure we build virtual networks as well as what we have done with the physical network . '
In one example, he points out a virtualization management tool like VMware's VMotion, which is a very useful tool for transferring virtual machines in a timely manner when encountering problems, and can also allow Someone with administrator privileges can coordinate two or more virtual machines that in the physical world, will have to be carefully separated as network traffic for security reasons.
Some IT organizations are encountering a fundamental error problem today. They are allowing the server group to run unidirectional virtual efforts without worrying about the security, storage and networking of IT teams. This can cause a lot of security problems that will have nothing to do with the inherent weakness of virtualization technology and products. ' This is a perfect opportunity to include support groups with it, ' Hoff said.
' Virtualization is a 90% plan, the plan has both a network, security and storage support team ' Wolf of Burton Group said. However, the fact is, most IT support teams are not much interested in virtualization technology and must now proceed to catch up. What if you miss the time to plan with all your experts, or you'll have to worry more about expanding the number of virtual machines and putting in more important applications that need to be Higher security on these virtual machines?
' To catch up, start with a good knowledge of virtualization infrastructure by using tools or advisors, then you have to work back to the previous issues, ' Wolf said. so.
Here are 10 important steps businesses can take, consult to tighten security issues of virtualization technology:
1. Control rampant problems with virtual machines
CIOs like Michael Abbene, who now runs the IT for Arch Coal, have an understanding of the problem of widespread virtual machines: Creating virtual machines actually takes only a few minutes. They are great at separating certain computational tasks. However, the more virtual computers, the greater your risk will increase. And one problem for you now is to control all those virtual machines. ' We started by virtualizing tests with' low-profile 'non-critical issues, then switching to some low-profile application servers.We then moved on to success and we also understand that doing so is likely to increase the risk problem with these things , 'Abbene said. The company currently has about 45 virtual machines in production, he stressed that there are also Active Directory servers and some application servers and web servers.
So how can you control this issue? One method: Create virtual servers similar to creating such corresponding physical machines. At Arch Coal, IT groups are very strict about new virtual machines: ' People must be familiar with the process as if it were a physical server or virtual machine ,' Tom Carter, administrator. said so by Arch Coal's Microsoft system.
To this end, Arch Coal's IT employs an executive board of changes (assemblies from typical departments including IT staff with knowledge of servers, storage and basics) to speak. agree or not with the new virtual server requirements. That means that these people in a group of applications cannot just build VMware servers but have to start working on creating virtual machines. VMware's VirtualCenter management tools as well as Vizioncore tools can also help manage the complexities of these virtual machines.
Ignoring the rampant virtual machines, IDC's Elliott said: ' The spread of virtual machines is a big problem, causing a lot of lag in the ability to manage and maintain performance and performance. face '.He also added: 'Unexpected management costs will increase if the number of virtual machines is out of control '.
2. Apply existing processes to virtual machines
Perhaps the most intriguing aspect of virtualization is its speed: You can create them in just a few minutes, be flexible in the transformation problem, bring new power to the business aspect of a single application. taste days instead of weekly as before. However, invest in thinking about the virtualization part of existing IT processes in the system, when you will prevent security issues in time. You will also reduce some of the problems that cause headaches later.
' Process is an important thing.Thinking about virtualization is not just about a technology perspective, but also from a specific process . ' If you are using an ITIL to help with IT processes, you need to think about how virtualization will be appropriate for that process architecture. If you are using the best operations, consider whether virtualization fits those processes.
An example: ' If you have a document to add certainty to the server (listing a set of security standards and a new server installation rule), you should follow the steps. that's for a virtual machine as it is for a physical machine , 'Hoff said.
At Arch Coal, Abbene's IT team has just done that: ' We spend the best practices on security for physical servers and apply them to all virtual machines.The steps are the same as strengthening the operating system, running an antivirus program on each virtual machine and securing patches, performing the same steps as the procedures performed on virtual machines ' .
3. Start with existing security tools, but be cautious
Do you need a completely new set of security and management tools for your virtual environment? The answer here is no. Start with your existing security tools for physical servers and consciously apply them to the virtual environment, Hoff said. But it is necessary to push firms to guide you how to keep up with the risks of virtualization security, and how they integrate other products later. ' There is a security-conscious error regarding the acceptance of tools for virtual environments,' IDC's Elliott said, 'It needs to be conducted early in the market issue ', with security tools Newly designed passwords need to pay attention to virtualization. That means that you have to promote what is already there and launch the potential of companies in a more revolutionary way than usual.
' Don't admit platform-level tools (like VMware tools) are good enough for you, ' Elliott said, and consider the new elements as well as managers already. Promote these firms even more strongly and provide guidance to them.
Jim DiMarzio, a CIO at Mazda North America, follows this strategy in his business. DiMarzio said he would like to have about 150 virtual machines manufactured in March 2008. He is currently using virtual servers for Active Directory servers, print servers, CRM application servers, and Web Server.
To secure these virtual machines, DiMarzio decided to continue with existing firewall systems and existing security products from IBM's Tivoli Access Manager, Cisco firewall tools and IDS's testing tool. Symantec. At Arch Coal, Abbene and his team are stuck with the security tools they are using, while also investing in BlueLane and Reflex Security tools. " The security and changes of firms need to try to catch up and they are now behind ," Abbene said.
BlueLane's VirtualShield product for Wmware, claims that it can protect virtual machines even in cases where certain patches have not been updated in time, as well as automatic scans for problems. Possible threads, upgrade areas that are having problems and protect against some remote threats.
The Virtual Security Appliance (VSA) of Reflex Security, the product Hoff describes along with BlueLane software is one of the emerging products of interest, it has successfully served the virtual intrusion detection system. (IDS), adding a layer of security policies within the physical device with virtual machines. It can lock off attacks on a system of programs that provide virtual computing environments along with other future issues, the abbene group points out. Abbene also said his IT team also discussed adding a second internal firewall to further isolate virtual machines, but he worried this could affect the performance of Virtual application.
Elliott of IDC cited several other virtual system security tools worth checking: PlateSpin, known for its virtual-physical flow-switching tools and download flow management tools; Vizioncore, known for file level backup tools; Akorri, known for tools that load balancing and performance management; and EqualLogic stores, recently acquired by Dell and known for iSCSI storage-area network (SAN) products used to optimize virtual machines.
4. Understand the embedded Hypervisor value
10 security threats on virtual servers Picture 1 You may have read about the embedded hypervisor, but if not, it will be an area where IT leaders should understand. The system program layer provides a virtual hypervisor computer environment on a server that serves as a basis for encapsulating virtual machines. VMware's ESX Server 3i hypervisor has recently stated that it is designed to be very small (32MB) for security reasons, only without operating system security. (No operating system does not mean maintenance of the operating system).
Some hardware companies such as Dell and HP have recently announced that they will release versions with embedded system programs that provide this virtual VMware computer environment on their physical servers. In the basics, an embedded hypervisor is safer because it's smaller, IDC's Elliott says. ' The more cumbersome the code is, the more likely it is to have a breach, which has become part of your architectural decision .'
Embedded hypervisors will be a big trend now, Elliott said, and you can see this from most server firms as well as some companies that haven't jumped into this field before. Phoenix Technologies, a leader in the BIOS software industry recently announced that the company will jump into play with the hypervisor and start with a product called HyperCore: It is a hypervisor for desktop computers and The laptop, will allow users to turn on the computer, use a basic Web browser and an email client without having to wait for Windows to start. (HyperCore will be embedded inside the BIOS).
Competition and innovation in the hypervisor market will be a good thing for businesses, Hoff said. The end result can produce products with small size and high performance.
A small attack surface is not only beneficial for an embedded hypervisor. Mazda's IT team is looking forward to the emergence of Dell servers with systems that provide virtual desktop environments embedded with VMware ESX server, Kai Sookwongse, IT system manager, LAN / Server for DiMarzio at Mazda. say so. ' One of the features we are expecting for Dell's embedded ESX is that all virtual machine images can be on the SAN ,' Sookwongse said. ' When we start the server, it can boot from the image on the SAN, This centralized management and its security mean that Mazda can order a server without a drive if desired, give physical security relationships '.
5. Do not specify overriding permissions for virtual machines
Keep in mind that when you grant administrative access to a virtual machine, then you have access to all the data on that virtual machine. Think carefully about what type of account and what access the employees are in charge of the necessary backup tasks, Wolf's Burton Group has advised. In addition to this, some third-party vendors offer advice that no longer affects VM security issues related to storage and backup issues. Wolf adds ' Some firms don't even follow VMware's best practices for their own VMware Consolidated Backup '.
Application developers need only minimal access. 'Our application, people can access and share or minimize access . but not access the operating system, ' Carter said. This can help control virtual machines while increasing security perspective.
6. See how you store backup
Some businesses have backup systems on today's SAN, Wolf said. It is an impossible thing to implement the whole storage problem too much, he said.
If you are working with VMotion, VMware's tool for dynamically creating virtual machines, you can assign some regional storage in the SAN. However, you want to make that storage specification more core. Wait, N-port ID virtualization — a technology that allows IT to assign storage to a virtual machine — is an investment worthwhile option, Wolf advises.
7. Ensure the network segment is well quarantined throughout the system
When an enterprise goes into virtualization, it should not ignore the network traffic risks. However, some of these risks may be accidentally missed, especially if IT leaders are busy while implementing virtualization plans. " A lot of organizations use performance in a simplified way like a form of consolidation ," Wolf said. (When assessing which application server is located as virtual machines on a physical machine, the IT group needs to focus first on the lack of performance for application servers when you want to avoid asking any physical machine to suffer too much load). " They forgot because of the security restrictions on network traffic that shouldn't have been put together ," Wolf said. For example, some CIOs are deciding not to allow any virtual server in the DMZ (also known as an area that is not under the management of a policy, a subnet has extended services for Internet, like e-commerce servers, is adding buffers between Net and LAN).
If you have several VMs in the DMZ, you may want them on physically separate networks for some other systems, Wolf said. Abbene said: At Arch Coal, IT groups thought about DMZ right from the beginning.
They deployed virtual servers on the internal LAN but there was no place to announce the deal. ' It is a key that has been decided early, ' said Abbene, whose company has a number of secure FTP servers and several other servers that are doing light-e-commerce work in the DMZ; however, there are no plans for virtual machines here, he added.
8. Care about Switch
When to use Switch and when? ' Some virtual switches work just like today's hubs: Each port is reflected to all the other ports on the virtual switch ,' said Wolf of Burton Group. Microsoft Virtual Server currently has this problem, Wolf said. VMware's ESX Sserver does not, nor does it, for Citrix XenServer. ' People hear about the term' switch 'and think of isolation.It's completely different depending on different brands , 'Wolf said. Microsoft has said that the switch problem will be solved in their upcoming Viridian server virtualization software product, Wofl added.
9. Check for 'weak' virtual machines
Servers are not just your worries. 'The biggest threat is on the client side - virtual machines are weak, ' said Burton Group's Wolf. So what is a virtual machine? Remember, your users can download and use free programs like VMware Player, while this program allows laptop users and desktops to run any virtual machine already. created by VMware Workstation, Server or ESX Server.
Many users now prefer to use virtual machines on workstations or laptops to isolate problems related to their work, or family-related actions. Some users use VMware Player to run multiple operating systems on one machine; use Linux as a base operating system but create a virtual machine to run Windows applications. (IT groups can also use VM Player to evaluate virtual devices - software products are being released as a VM).
' Sometimes, these virtual machines don't get the right patch, ' says Wofl. ' These systems are exploited towards your network and currently all unmanaged operating systems '.
' There are a lot of risks you might encounter ,' says Wofl, noting that machines running weak virtual machines can be a virus or worm distribution center for the physical network. For example, someone is very easy to upload a DHCP server to distribute fake IP addresses. It is actually a denial of service DoS service. At the very least, you will spend IT resources trying to test this problem. ' It may even be simple in the user's error when introducing services with production networks '.
So how to prevent these virtual machines? You should control all those who have VMware Workstation, especially for beginners (because it is necessary to create a VM). IT professionals can use a group policy to prevent certain enforcement issues such as the need to install the VM player, Wolf adds. Some other ways: Periodically verify user hard drive.
Has this problem become another point in the debate between users and IT, where savvy users want to use their virtual machines to work like the computers they work at home? The answer here is not yet, Wofl said.
If you want to allow virtual machines on a user's computer, then tools like VMware's Lab Manager and a number of other management tools can help control and test these virtual machines.
10. Remember to plan your budget for virtualization
' Spend a certain budget on virtualization security and manage it.You may not need to consider it a budget outside your security budget, but listing and budgeting for all security needs is a necessity , 'said IDC's Elliott. so.
In addition, you need to be careful with security costs when performing virtualized ROI calculations. ' You may not be able to see a lower cost of security because you need to apply some of your existing security tools to each VM you create, ' Hoff reminded. If you don't anticipate these costs, it becomes a big problem later.
According to Gartner, this is a common mistake that we often make. Perhaps by 2009, about 90% of virtualization deployments would have unexpected costs, such as security costs, according to vice president Neil MacDonald, Gartner.