Webinar: Proactive Healthcare Cybersecurity for Today's Threat Landscape Register

Dark teal and black gradient

Blog

Virtualization, Security & Compliance and How They Can Exist Together

December 5, 2008

By Tevora

There is no doubt that virtualization is the hot trend right now. Many companies are beginning the transformation of virtualizing their infrastructure or are in the planning stages to do so. Virtualization has many benefits but it also has some hidden costs and pitfalls many organizations don’t consider when adopting it.

I wanted to touch on two issues which don’t seem to be widely known or understood with respect to virtualization: security and compliance.

“Virtualization simplifies security”

Virtualization may reduce your carbon footprint and hardware budget but it will increase your security budget. Why you ask?

For starters virtualization adds yet another layer to your computing environment: the hypervisor. You are going to need to ensure it is secured and monitored just as you have for the others layers in your infrastructure.

Then there are the security needs of your VMs. Most people think this can be solved with the new Virtual Security Appliances (VSA) hitting the market. Well, a VSA may handle some of the issues but more than likely you will need either VM-based agents (such as all the host-based security software available today) or those old standalone security appliances you so desperately wish would go away.

Most likely organizations will be using 2 if not all 3 of these security tools to secure their virtualized environments. Guess what, that’s more work than you are doing now. In order for these tools to be worthwhile, staff will need to be assigned to manage and monitor them. Question is whose plate will this fall on?

“Compliance won’t let me virtualize”

For the most part compliance guidelines haven’t kept up with technology. The new PCI standard released last month doesn’t even mention virtualization. In fact, many feel it could actually prohibit the use of virtualization. So as an organization that is required to be compliant, can you meet the writing on the wall and still become virtual?

Answer is: it depends.

Because the standard doesn’t specify anything with regard to virtualized environment it is left up to the individual auditors (or their firms policies) to decide what is and isn’t acceptable to meet the requirements. For example Req 2.2.1 states only one primary function per server. In a virtualized environment, one physical server could be running multiple VMs all providing different functions. Is this compliant?

There is hope! VMware recently joined the PCI Standards Council and appears to be taking a much more proactive and aggressive role in ensuring that organizations are not held back from virtualizing their environments because of compliance with standards.

For anyone currently undergoing virtualization, my advice to you is use common sense.

Do a risk and threat evaluation on the machines you are migrating to VMs. Then partition the VMs onto your physical servers by risk and threat groups, not by function. Focus on the information and keeping sensitive data (CHD, PII, ePHI) and machines required to operate on it grouped together and separated from systems that don’t interact with that information.

Doing your VM partitioning in an intelligent manner will help to simplify the VSA layer policies, VM-hosted security software and any standalone security solutions required to protect systems on that physical host.

Once you actually start deploying your hypervisors and VMs, use the tools available to ensure they are as secure as functionally possible. The Center
for Internet Security has a suite of tools you can use test your configurations.

About the Author

Tevora is a specialized management consultancy focused on cyber security, risk, and compliance services. Our combination of collaborative strategic planning and skillful execution make us a trusted partner to some of the most famous brands in the world.

Back to Resource Center