How can IT, risk and security professional guard against it? Dwayne Melancon reports.
Yet internal conflicts and confusion as to who is responsible for a variety of key tasks – from change control to compliance – is leaving organisations vulnerable to both security threats and compromised performance.
Unless organisations recognise the fundamental changes required to achieve a robust virtual environment, and clearly define responsibilities across systems administration, security misconfiguration will fundamentally undermine the promised cost benefits and productivity improvements that virtualisation can deliver.
Virtual technology: critical technology
Over the past two years, virtual technology has gained a significant foothold in IT operations across the globe, moving steadily from pre-production and test environments through to fully-operational, business critical systems.
According to the survey report: ‘Is Virtualisation Under Control: Current Opinions on Security and Controls for Virtual Servers in Production Environments’, over 90% of respondents said that virtualised servers are now deployed in production environments. In fact, three out of every four respondents reported that up to half of all their production servers are now virtualised.
However, many organisations are beginning to question the robustness and security of virtual deployments. Some, indeed, have even put a complete block on any new virtual implementations in the wake of serious performance and compliance problems.
One of the key reasons for this problem is revealed by the survey which points to confusion about accountability in the new environment, with growing turf wars developing between systems administrators and security teams.
Changing disciplines
One of the major problems created by virtualisation is that the technology brings together many previously separate disciplines.
In the physical environment roles are clearly defined, with clear boundaries. Yet as soon as an organisation embarks on a virtual implementation all involved suddenly have to consider and understand a multitude of technology areas, including the hypervisor layer, server management, the virtual network infrastructure and even application security.
This broad role creates a new challenge not only for the individuals – who, typically, haven’t been provided with the additional skills or knowledge required to achieve a successful and secure virtual implementation – but also the IT management.
Without clear guidelines from the top, there’s no collaboration between security teams and network administrators and those tasked with the virtual deployment. The result is numerous ‘best effort implementations’ with inconsistent configuration and risk compromising existing physical and virtual systems.
What about the business risk?
Certainly, there is growing awareness of the dangers associated with poor configuration. According to the survey, the majority of respondents agree that security risks for virtual servers are the result of misconfiguration, not inherent weaknesses of virtualisation technology.
The problem is widespread. According to Gartner, through 2009 no less than 60% of virtual infrastructure will be less secure than physical counterparts.
In many ways, it’s the perceived inherent simplicity of virtual technology that has created this problem. Creating a virtual switch is relatively easy. As a result, a large number of organisations have experienced an informal adoption that has resulted in a widespread, yet ad hoc implementation in both pre-production and production environments.
By contrast, the minority that have taken a strategic approach to virtual technology and developed the right processes, policies and operational collaboration have full visibility of their virtual systems, and have achieved consistent and trusted configurations.
Virtualisation by stealth
For those organisations experiencing virtualisation by stealth, the business risk is significant. This ‘best effort implementation’ is inconsistent, creating configuration variance that adds management cost. With no clear policies or procedures, configuration and mistrust is rife.
The problem is exacerbated by the lack of system visibility: many of the existing system management and monitoring tools are unable to support the virtual environment, creating an additional layer of confusion and mismanagement. Indeed, many IT Departments simply have no idea how many virtual systems have been deployed across the business.
This ad hoc, uncontrolled approach to virtualisation is driving up ownership costs and reducing reliability and predictability. Furthermore, it’s undermining the core objectives of the virtual deployment: improved cost and efficiency.
A virtual understanding
With the right policies, education and collaboration, it’s a simple process to realise those benefits. Virtual technologies are well supported and well documented. There are excellent standards and preconfigured policies for every aspect of the implementation, from VMWare hypervisor hardening onwards, with step-by-step instructions.
By combining complete virtual system visibility with a policy-based approach to configuration an organisation can rapidly assess whether or not an implementation is conforming to the standards.
Furthermore, by leveraging proven standards and real time monitoring to ensure the system is in compliance with the policy, organisations can feel confident that even junior administration staff can achieve a successful, consistent deployment.
Critically, a consistent policy-based approach enables an organisation to embark upon rigorous, consistent deployment of the virtual architecture while also providing individuals across the business with a better understanding of the technology.
By reinforcing defined policies with links to deeper reference materials about the importance of settings and the consequences of not adhering to policies, staff achieve just-in-time learning. This delivers the virtual insight required to break down operational barriers and ensure staff have the skills, knowledge and confidence to deliver consistent, reliable and secure virtual configurations.
Considering the operational imperative
In today’s economy, it’s becoming essential to implement a cost-effective and productive environment. Virtualisation is a key tool in realising that goal. However, far too many organisations are experiencing service-impacting problems due to misconfiguration.
In some cases, these problems are fundamentally undermining the organisation’s faith in virtual technology, resulting in increasing signs of delays and a slowdown in adoption, particularly within production environments. Such poor configuration is without doubt preventing organisations from realising the true goal of virtualisation.
Furthermore, with a lack of co-operation between IT administrators, compliance, network management, audit and security, the myth of virtualisation’s inherent risk is being propagated across the organisation. The policies and processes needed to achieve a robust, secure implementation are not even being discussed because the business is at a strategic stalemate.
To make matters worse, security is often an extreme afterthought – forcing security measures to be implemented in an ineffective, stop-gap fashion.
In stark contrast, consider those organisations that truly understand virtualisation, who have put in place the operational changes and systems visibility required to achieve a policy based implementation. Key elements of the IT team, including security, take a proactive role in defining the virtual strategy way before implementation in order to achieve the expected return on investment.
These organisations are now taking a ‘virtualisation first’ approach to deployment – and reaping significant benefits in terms of reduced cost, resources and time as a result.
Virtual technology is undoubtedly the way forward. The key is to ensure that those tasked with implementation understand the bigger picture, build security in from the beginning of the life cycle and can encourage well documented policies to achieve consistent configuration across the organisation.
Dwayne Melancon is vice-president of corporate and business development at Tripwire