By Dave Shackleford
Virtualization technology is becoming ubiquitous. More and more organizations are replacing physical infrastructure with virtualized systems, including desktops and servers, and application and storage virtualization are popular as well. Virtualization changes a number of paradigms across the information technology landscape â€“ some obviously for the good, some possibly for the worse. In the realm of GRC, virtualization has some distinct points to consider, many of which may require changes in operations and policy, as well as overall information security management.
Where governance is concerned, virtualization brings about changes in separation of duties and policy definition.
In traditional IT environments, distinct teams with specialized skill sets manage and operate various pieces of the infrastructure. Network engineering and administration teams manage routers and switches, Windows systems admins manage Windows servers, etc. With virtualization technologies, all of these functions are collapsed into a generally cohesive management structure, such as VMwareâ€™s vCenter Server.
This leads invariably to challenges with â€œwho manages whatâ€ â€“ many IT shops tend to put the burden of managing VMware solutions on Windows admins, for example. These admins now manage the virtual machines, the underlying hypervisor platforms, the virtual networks, storage connections, etc. All of these can be regarded as separate disciplines, and having one team manage them all flies in the face of proper separation of duties.
Along with this problem comes the definition of policies governing the use and oversight of these technologies â€“ who drafts the policies, and which teams are the policy owners?
The overall risk landscape changes dramatically with virtualization, too.
Many of the risks are similar to those we understand today, but are present in a somewhat different form. The lack of proper change management and configuration management programs are still viable risks that can lead to innumerable security issues, but theyâ€™re compounded by the operational nuances of virtualization technologies themselves. For example, the act of creating and provisioning systems is simplified immensely â€“ keep a template, generate a new virtual machine from it, move the VM to a host platform, and flip the switch.
Without ensuring that a) the template configuration is patched and up to date, and b) the VM provisioning has gone through change control, the risk of having a new system online that has OS or application-specific vulnerabilities is exponentially higher. Threat vectors change, too â€“ if the hypervisor platform is compromised by an attacker, the entire group of virtual machines hosted on that platform is immediately at risk, which tells us that new risks inherent in hypervisors hold much greater impacts than single-system risks that weâ€™ve managed before this, potentially.
On the compliance front, there is a considerable amount of grey area around how virtualization plays a role. On the one hand, most compliance mandates (SOX, HIPAA, GLBA) are vague enough to leave the interpretation open to both auditors and auditees alike. Herein the issue lies, however â€“ compliance mandates open to subjective interpretation are bad, since potentially unsafe practices may be considered acceptable by different auditors and organizations who donâ€™t understand the risks, technologies, or both.
Even more prescriptive regulations like the PCI DSS donâ€™t specifically address virtualization, which has led to a number of issues around interpretation. For example, PCI DSS section 2.2.1 mandates that all servers involved with payment card data should only have a single function, such as a dedicated Web server or database server. What about virtualization hosts like VMware ESX, though? Itâ€™s a single server, but runs VMs that perform a variety of different functions. Although a Virtualization Special Interest Group (SIG) has worked on this, thereâ€™s no clear timeframe for integrating their work into the standard. In addition, many auditors just donâ€™t understand virtualization technology, and default to the most restrictive possible implementation methods â€œjust to be safeâ€ â€“ any â€œknee jerkâ€ reactions of this type are probably a bad thing, in either direction.
Virtualization can help organizations reduce operating costs, and many feel that itâ€™s a key component to â€œGreen ITâ€ strategies aimed at reducing energy consumption. However, despite popular belief, it actually makes the IT environment more rather than less complex, and a number of new processes and approaches are needed to ensure that security and risk management keep pace with its adoption.
Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is also a SANS Analyst, instructor, course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He’s worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.