Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
The challenge arises when the network and security teams discover that they've lost a good deal of the security visibility and operational control they once had, since both the network and hosts are virtualized on a single platform operated by the server administrators. This makes compliance, competencies and separation of duties trickier.
To ensure virtual security, work with your customers to address policies, procedures and responsibilities across server administration, network and security teams before you start deployments. This will limit the operational impact of virtualization.
Further, virtualization adds complexity that extends beyond management and provisioning, and changes the attack surface of your server and workstation deployments. Until security technology catches up with the virtualization vendors and tools become better integrated with the underlying virtualization infrastructure, recommend the following basic virtual security guidance to your customers:
- Follow the virtualization vendor's virtualization security hardening recommendations, paying strict attention to management and security settings.
- Harden virtual hosts by using the same processes, procedures and technologies you would employ on a physical server.
- Isolate virtual hosts in physically or logically segmented networks to prevent attackers from leapfrogging to traditionally secured physical hosts until you are comfortable with the impact virtualization has on security and networking.
- Group virtual machines that interact with one another on the same host using properly allocated virtual switch(es) to optimize performance and security.
- Perform a risk assessment that demonstrates clearly that the business understands what consolidating critical service infrastructure means to service levels, availability, business continuity planning and disaster recovery.
- Take into consideration that licensing models for security applications are still evolving in the virtualized world.
The best discussion to have with clients about virtualization is how to balance the business benefits with the potential operational, architectural and security changes, and be honest about how that will impact the organization.
This was first published in April 2008