When it comes to ensuring the security of the global IT enterprise, it's a dangerous world out there. According to the Symantec 2011 Internet Security Threat Report, malicious attacks have increased nearly 81% over previous years, the number of targeted attacks on organizations of all sizes is escalating, the adoption of mobile is increasing vulnerability, and data breaches are on the rise.
The massive IT shift to virtualization and eventually private and hybrid clouds is only adding another layer of complexity to the security challenge. Traditional enterprise security controls and protocols don't necessarily translate to the virtual world, and virtualization technology in itself introduces a brand new set of risks, many of which are not adequately addressed using existing security best practices. As a result, organizations aren't doing enough to mitigate risks in their next-generation environments—an oversight that can wreak havoc as critical business systems transition to virtual and cloud-based environments as a means of increasing business agility in a more cost-effective manner.
Let's consider security risks in the context of a virtual environment with some recommendations on how to address them:
Traditional risks don't go away in a virtual world. Companies have become adept at curtailing targeted malware, for example, but virtual software layers expand the potential attack surface and become a target for breach attempts that compromise networks and systems. There is also the possibility of introducing a dedicated, malicious VM that can orchestrate an "in-network" attack scenario.
Moreover, there are a slew of common risk factors complicated by virtualization. Large sets of system files can be swiped simply by removing a thumb drive or memory stick. The audit scope related to upholding compliance with regulations such as PCI, HIPAA, or SOX is likely to be extended due to the existence of data on virtual machines. There is also opportunity for missed security patches and updates due to relocated VMs and too much reliance on traditional security barriers like firewalls and other perimeter-based approaches, which don't work effectively in this brave new world due to the dynamic nature of virtual instances.
Securing the promise of virtualization requires choosing solutions that are purpose-built to mitigate risk in virtualized environments. That means the solution needs to encompass capabilities around endpoint protection, application isolation, runtime configuration, data loss prevention, compliance, and identity management, but do so in a way that addresses the unique requirements of the virtual world from the ground up.
Mixed trust workloads. Virtual and hybrid cloud environments move data assets in and out of established trust zones, which spreads sensitive data around to more locations and increases the risk of data loss whether the culprit comes from inside or outside of the organization. In addition, while sensitive data previously might have been restricted to defined trust domains in the traditional world, it may now co-exist with other data on host systems, creating new opportunities for data loss and exposure.
Since VMs are not physically tied to servers, networks, or hosts, all policies must be enforced on the VMs themselves and be maintained even as they are frequently re-provisioned or moved. Security controls need to be addressed in the lowest layer of the infrastructure stack and should be managed through context, enforced by the hypervisor, as opposed to being orchestrated through the addition of new features.
Poor visibility and control. Because services can be instantiated, run, and de-provisioned much more rapidly in a virtual environment, it's harder to identify and address security risks in an accelerated timetable. Virtual networks also inject new layers of complexity that impede central visibility, and there can be inadequate controls over administrative access to the hypervisor/VMM layer, which opens the door to new threats.
The security and virtualization suites should be integrated to support hybrid environments so that a single console may be used to manage security across physical, virtual, and cloud-based infrastructure. Automated provisioning and lifecycle management must be part of an overall solution so that provisioning of security services is integrated with cloud management infrastructure and configured on demand when a workload arrives at a host.
Security in the hands of non-security experts Virtualization and the cloud are designed to promote self-service provisioning, which means IT security experts are often left out of the equation. As a result, security controls are now entrusted to general IT staffers or line of business users who aren't necessarily familiar with established protocols.
Contextual security information should be served up to non-traditional security staff to accommodate rapid provisioning, without compromising traditional security best practices such as established separation of duties and privileges. To reduce the chance of user error, the systems should automatically apply the contextual information about the environment to determine optimal control settings and to help remediate security breaches.
As virtualization gains momentum as a way to foster business agility, more and more sensitive data and mission-critical services are being added to workloads in shared environments, increasing companies' risk of exposure. In order to meet the new and evolving security challenges in a world that spans both physical and virtual assets, IT needs to reexamine security controls and best practices. At the same time, security requirements need to be addressed from the ground up as IT builds out this new infrastructure, not as an afterthought or by merely bolting on new features.
Symantec offers a full portfolio of products to address security needs in a virtualized environment, including Symantec Endpoint Protection, Data Loss Prevention, Control Compliance Suite, Critical System Protection, Symantec Security Information Manager, and Managed Security Services. Working in concert, the offerings deliver deep levels of platform integration, which allows for greater visibility and control, consistent policy coverage, and greater operational alignment between security and IT operations teams. Find out how Symantec products can help your organization with paving a more secure, risk-free path to virtualization and the cloud.