Complacency: The New Security Strategy for Virtualization?
Last year Gartner said that through 2012, “60 percent of virtualized servers will be less secure than the physical servers they replace.” Furthermore, they said that many virtualization initiatives are undertaken without involvement from the information security teams. And just recently, a CSO Flash Poll survey commissioned by Symantec revealed that while 70% of respondents reported that security and compliance concerns have not slowed the pace of virtualization adoption at their organization, 75% indicated that security and compliance are the largest factors in keeping them from full confidence when it comes to hosting business-critical applications on virtualized servers.
So let’s recap: virtualization continues at a rapid pace – even though these implementations are less secure, often without security teams not involved. Does anyone else see a problem here?
With an increasing focus around mission critical virtualized workloads and tier 1 applications, more and more organizations are slowly being brought back to the reality that truly effective security requires a defense in depth approach. Despite recent innovations in virtual platform API integrations and re-architected network perimeter defenses, these developments have not met longstanding standards for comprehensive protection. For example, antivirus protection is only one of arguably nine or so essential endpoint layers that are required to meet the increasing risks associated with an evolving threat landscape.
Yet that has been the conversation of focus in everything virtual around security. Protection is not a contest between agent and agent-less scanning or managed versus unmanaged systems. It is an increasingly important part of a transforming infrastructure that will ultimately result in the migration of the desktop to the data center (VDI) and to addressing new standards in the balance of security effectiveness and performance in high density environments.
Virtualization is well established as enabling an agile IT service infrastructure platform. A virtualized environment can more easily and more quickly spin up new server resources in moments that used to take days and weeks in a physical model. These same innovations are poised to deliver new ways of enabling service level security. The focus should be on delivering policy-based control layers on an automated and as needed basis depending on security and compliance requirements across a variety of dynamically changing critical workloads – be those physical, virtual or in the cloud.
We know that hackers and cyber criminals are constantly looking to exploit any new technology in their quest to steal data, and virtualization is no exception. But following some fundamental best practices will minimize the risks involved as businesses make the transition.
- Centralized Management – One of the most important considerations is to implement central management on virtual machines. Traditional endpoint management is time-consuming and risky, as each machine is exposed to its own set of risks through delays in patches and other updates. One of the most important benefits of virtualization is the way it lends itself to centralized control.
- Dynamic Grouping – Another advantage offered by virtualization is the ability to dynamically group applications and endpoints. This eliminates the problem of a single server hosting a group of applications that each has a discrete configuration. It also allows administrators to more easily manage user privileges, restricting network access and providing additional security.
- Reputation Based Security – Implementing reputation-based security provides robust security while minimizing resource usage. By drawing on data from millions of users worldwide, reputation-based security identifies threats and reduces the need for resource-intensive file scanning.
- Two Factor Authentication – Single-password security is no longer effective against the complex threats prevalent in today’s cybercrime. Two-factor authentication has become indispensable for providing appropriate security.
- Encryption – In addition to authentication, data encryption is one of the best ways to protect sensitive data. It not only protects from outside attacks, but it also keeps information safe in the event of an employee-generated incident such as loss of a device.
- Controls – Finally, it is important to establish effective controls within the network that can be monitored to identify and resolve issues as they arise. Virtualization offers an ideal opportunity to streamline new elements within the data center from the initial implementation, rather than always trying to catch up to problems that have already appeared.
As organizations move toward a service-centric delivery model with established levels of availability and business continuity, cloud enablement and hybrid off-premise data centers, security strategies will no longer be viable with a simple product installation and update process. The dynamic nature of mobile and constantly changing workload interactions will require a new breadth and depth protection capability that can automatically change as workloads come on and offline, recover to different hosts or interact with confidential or proprietary data. This is a hybrid model where service levels dictate the right level of protection controls directed at either users or data.
If you’re currently focused on which antivirus scanner you should use, you may be suffering from a complacency approach that is compromising your ability to secure your environment for the next phase of your evolution. Security is not one more chore to check off as infrastructure is virtualized, businesses should see it as a chance to make the system more secure from the ground up.
Comprehensive security and protection for virtual environments is critical. We are focused on this issue. And your organization should be focused it, too.
For more information, please check out the following: