Securing Your Virtual Environment: A Lowdown

 

Recently, virtualization giant VMware scrambled to release security patches for an ESX server hypervisor source code leak that was published in April and allegedly perpetrated by a hacker from the global collective Anonymous. The recent patch repaired critical vulnerabilities that could have enabled an attacker to execute malicious code remotely on the host and leave an end-user’s virtualized environment susceptible to a compromising cyber attack.

Among other things, the incident called into question the security of virtualized data and for some, how the eventual migration to virtualized network infrastructure would ultimately impact an organization’s security standing.

No doubt, the transportable nature of a virtual environment generally adds another layer of complexity in the overall security of the network that can often leave security holes if organizations aren’t aware of the location of their data or what it takes to secure it.

But whether virtual data is more or less secure largely depends on the caliber of organization’s security posture, experts say. And opinions on how to secure a virtual environment are as numerous and diverse as organizations that house it.

 

“There’s no single one answer. You need to assess what that environment is, what they’re trying to do and put the proper pieces in place,” Jason Bandouveres, Fortinet senior product specialist.

 

And no doubt, the security of the virtual system will largely depend on the nature of the organization as well as the type of virtual data and infrastructure needing to be secured. But regardless of how complex or unique the organization’s infrastructure needs, there are some basic security requirements that are necessary throughout all virtual environments, Bandouveres says.

 

First, Bandouveres contends that despite the fact that organizations will progressively virtualize more and more of their infrastructure, they will still need to adopt some kind of hybrid environment and create some kind of a balance with both physical and virtual security mechanisms to adequately secure their data.

 

The reason? Ultimately, whether secured via a physical or virtual system, data stored via the virtual environment needs to be protected.

 

Talking to the Gartner’s of the world, we’re seeing a definite need for both physical and virtual assets to secure both of these,” Bandouveres says. “You have to secure that environment in and of itself. Physical security is at the core of the network. You need to secure the perimeter of that virtual environment, whether private or public cloud, you still need to protect those physical assets and physical links.”

 

Physical security systems are usually necessary due to the fact that the virtual environment is running on physical devices, Bandouveres says. “Your virtual environment is running on some type of hardware, there are physical servers, there’s physical storage, network, etc… Security devices are definitely necessary to protect the perimeter of these environments.”

 

Also, in a multi-tenant or multi-client environment, the providers need to configure segregated security zones just as they would in physical environments. At this point, they will be required to invest in security virtual appliances to secure these zones from each other so that traffic won’t be required to route out of the virtual environment through physical security appliances and routed back into the virtual environment to employ a proper security zone, he added.

 

For example, Company A could be hosting Web servers and application servers on the same physical assets as Company B within a publicly available cloud.

 

“The beauty of these virtual machines is that they could be running anywhere in that cloud, but the cloud provider needs to segregate one tenant from another tenant to make sure there’s no leak over,” Bandouveres says, adding, for example, as there could be with Web servers that house and protect certain kinds of credit card information from the various clients. That segregated traffic then needs to be rerouted right back into the virtual environment, he adds.

 

“There are certain compliance regulations that need to be met, so there’re no potential security issues. You need to make sure to have a rock solid security policy and segregate those aspects in a virtual environment, as well,” Bandouveres says. “You could have assets that shouldn’t be talking to or sitting near other data on the physical servers. You need to secure inter VM traffic and different workloads on the same physical host. You don’t generally have that issue in a physical environment.”

 

In addition, it’s essential to have a central management system that can monitor both their physical and virtual security environments via a single pane of glass in order to avoid efficiency bottlenecks and productivity gaffes created by complicated multi-management servers, Bandouveres says.

 

Finally, as with physical data, virtual data is often most vulnerable when it’s lost or unaccounted for. However, unlike physical systems, the mobile nature of virtual systems enables workloads to be transported easily from one host or server to another.  As such, organizations increasingly are required to have security policies that reflect that development, Bandouveres says.

 

“It’s not something you see in the physical world. That server is never going to move,” he says. “In a virtualized environment, they’ve got full load balancing set up. You could see that workload move, and you need to be able to secure that.”

 

by Peerapong Jongvibool, Thailand Country Manager, Fortinet International Inc.