EXPERT RESPONSE
Security strictly related to virtualization technology is still in its infancy. There are some technologies, such as Blue Lane's VirtualShield, that secure the virtual environment at the hypervisor layer. However, I do not believe that these are in widespread use yet and the need for such a measure may still be in doubt at some businesses. The Blue Lane product website cites uncontrollable server sprawl as a downside to virtualization. The theory is that since virtual machines are so easy to create and duplicate, that IT departments will ignore best practices and procedures. They will just start creating vm's at will, with no regard to policy.
While this may happen, that kind of problem seems more like a management fix, rather than a technology solution. Stick to sound policies, even when deploying virtual machines. Assessing the security needs for a virtual environment should be similar to assessing the needs of a physical environment. Questions like, "Who needs access to this database?" or "What are your patch schedule requirements on these servers? (physical or virtual)" should still be a priority.
Make sure there is a good balance between security and usability. Help the customer document who is responsible for maintaining, commissioning, or accessing new and existing virtual machines. This may include setting up new users on virtualization technology consoles and assigning the appropriate permissions. Just follow the steps that you would take when securing a physical environment at the Operating System level. Then, you can help the customer deal with specific virtual security requirements.
It is often easy to get caught up in new technology to solve what may appear to be serious problems. Virtualization security software may prove to be useful in the long run. However, it is important to stick with the basics and establish a solid foundation before evaluating those products.
|
