December 5, 2008
Virtualization, Security and Compliance… Can they exist together?
There is no doubt that virtualization is the hot trend right now. Many companies are
beginning the transformation of virtualizing their infrastructure or are in the planning
stages to do so. Virtualization has many benefits but it also has some hidden costs
and pitfalls many organizations don’t consider when adopting it.
I wanted to touch on two issues which don’t seem to be widely known or understood
with respect to virtualization:
security and compliance. >
“Virtualization simplifies security”
Virtualization may reduce your carbon footprint and hardware budget but it will increase
your security budget. Why you ask?
For starters virtualization adds yet another layer to your computing environment:
the hypervisor. You are going to need to ensure it is secured and monitored just as
you have for the others layers in your infrastructure.
there are the security needs of your VMs. Most people think this can be solved with
the new Virtual Security Appliances (VSA) hitting the market. Well, a VSA may handle
some of the issues but more than likely you will need either VM-based agents (such
as all the host-based security software available today) or those old standalone security
appliances you so desperately wish would go away.
Most likely organizations will be using 2 if not all 3 of these security tools to
secure their virtualized environments. Guess what, that’s more work than you are doing
now. In order for these tools to be worthwhile, staff will need to be assigned to
manage and monitor them. Question is whose plate will this fall on?
won’t let me virtualize”>
For the most part compliance guidelines haven’t kept up with technology. The new PCI
standard released last month doesn’t even mention virtualization. In fact, many feel
it could actually prohibit the use of virtualization. So as an organization that is
required to be compliant, can you meet the writing on the wall and still become virtual?
Answer is: it depends.
Because the standard doesn’t specify anything with regard to virtualized environment
it is left up to the individual auditors (or their firms policies) to decide what
is and isn’t acceptable to meet the requirements. For example Req
2.2.1 states only one primary function per server. In a virtualized environment,
one physical server could be running multiple VMs all providing different functions.
Is this compliant?
There is hope, VMware
recently joined the PCI Standards Council and appears to be taking a much more
proactive and aggressive role in ensuring that organizations are not held back from
virtualizing their environments because of compliance with standards.
For anyone currently undergoing virtualization, my advice to you is use common sense.
Do a risk and threat evaluation on the machines you are migrating to VMs. Then partition
the VMs onto your physical servers by risk and threat groups, not by function. Focus
on the information and keeping sensitive data (CHD, PII, ePHI) and machines required
to operate on it grouped together and separated from systems that don’t interact with
Doing your VM partitioning in an intelligent manner will help to simplify the VSA
layer policies, VM-hosted security software and any standalone security solutions
required to protect systems on that physical host.
Once you actually start deploying your hypervisors and VMs, use the tools available
to ensure they are as secure as functionally possible. The Center
for Internet Security has a suite
of tools you can use test your configurations.
Finally… I leave you with the following image (shamelessly borrow from Christofer