Sponsored by

Virtualization
Organizations considering
virtualized platforms will have
to examine their impact on
overall security policy.
Moving to a virtualized implementation
involves maintaining a culture of security
diligence, reports Jim Romeo.
W
hen the City Council of Athens, Ala.
convened in early 2013, Dale Hay-
mon, the citys director of informa-
tion technology, delivered a presentation
focused on how the municipality could save
about $49,000 on energy and electricity costs,
and facilitate its many IT processes by struc-
turing servers and clients with virtualization.
Although the promise of reduced costs
has appealed to many in similar situations,
security experts warn that a move to virtu-
alization must not trump careful contempla-
tion and scrutiny by todays CIOs and IT
leadership. Such a thorough examination
must take into account the impact that
virtualization will have on an organizations
overall security policy, the risk it imposes,
how to mitigate such risk, how to implement
access controls, and what best practices an
organization can or should implement in its
present IT environment.
The risk of a virtualized environment
begins with an awareness of the IT architec-
ture, and the associated conguration and
hardware that enable it. The largest risk for
virtualization is having multiple operating
systems and applications on a single host,
says Brandon Meyer, an engagement man-
ager with SWC Technology Partners, an IT
consultancy based in Chicago. In the event
of a host failure, you are losing multiple ap-
plications at once instead of a single one,
he says. This is becoming a larger risk with
better hardware that allows you to put more
and more applications on a single host. It is
not unheard of to have 30 to 40 or even 50
instances of virtual machines running on a
single piece of hardware.
When evaluating that risk, one needs to
look at the applications in use and deter-
mine what the effects are if that host were
to fail. For instance, he says, when one has a
three-tier application, it doesnt make sense
to spread those tiers across multiple hosts. If
one were to lose a tier, then access is lost to
the entire application. In this scenario, you
want to set up rules within your virtualiza-
tion hypervisor to keep all instances of that
application on the same host, Meyer says.
This way you have reduced the number of
applications that will be down by 33 per-
cent. Users also need to evaluate that when
load-balanced systems are in place, such as
web front-ends, they are not all on the same
host. When an implementation has multiple
instances of a load-balanced application,
administrators need to keep those instances
off of a single host and make sure they are
split across multiple hosts and storage arrays
if possible, he says.
With a single host, there are many virtual
machines (VMs) that will be affected when
security is breached. Specically, the big-
ger problem in a virtual environment is the
far-reaching impact on the VMs associated
with a single point of attack. A compromise
of the virtualization layer could result in the
compromise of all hosted VM workloads,
says Gary Loveland, a principal and leader of
PwCs global security practice in Irvine, Ca-
lif. If the hypervisor is attacked, the hacker
could have access to all data that ows across
it, and could get into all of the VMs. On a
typical hypervisor setup, workloads and dif-
ferent VMs can be consolidated on the same
physical server. That is becoming increasingly
common for cost and power efciency.
For example, he says, a physical server
might be hosting a VM with a database that
is sensitive content, and another VM might be
hosting the front-end of the application. This
can create challenges for compliance. The
hypervisor requires patching, in which case
all VMs would have to be brought down.
So its not a single server that is at risk,
but all the images along the chain. This
all adds to the challenge in developing and
implementing security policy designed
to safeguard against intrusions. Security
2
V
i
r
t
u
a
l
i
z
a
t
i
o
n
80%
of federal information
technology leaders say
their agencies have
implemented some
manner of server virtu-
alization.
2012 MeriTalk survey
www.scmagazine.com
|
2013 Haymarket Media, Inc.
monitoring must take into account all of the
virtual networks that exist. Loveland says
the lack of visibility and controls on internal
virtual networks can blind already existing
security policy enforcement mechanisms.
Virtual servers are generally not monitored
in the same way that physical servers are,
and when VMs can communicate, it can
create an invisible network, he says. You
need all of the same controls rewalls,
sniffers, etc. that would be used on a
physical server inside the virtual network to
monitor effectively.
As well, there is a potential loss of sepa-
ration of duties for network and security
controls. When physical servers are col-
lapsed into a single machine, it increases the
risk that both system administrators and
users will inadvertently gain access to data
that exceeds their normal privilege levels,
he says. Another area of concern is which
group congures and supports the internal
virtual switch.
Risk mitigation: Manage, validate and control
For an IT manager, virtualization demands
prompt mitigation in response to an inci-
dent, and this is always a challenge for IT
leadership. In fact, it is an ever-changing
skill set and business practice that must
adapt as security threats change and nd
their way into network infrastructure. For
virtualized environments, risk mitigation
begins with sound security policies anchored
in a good understanding by all security team
members within the enterprise.
Loveland says VMS should be held to the
same standards as physical machines, as they
require the same separation and security
controls. Organizations should extend their
policies, practices and technologies to man-
age, validate and control the virtual infra-
structure, he says. Monitoring and protect-
ing each layer in the conguration is crucial
to reducing the threat surface.
Additionally, virtualization security must
begin with the security team and operations
team working in tandem to develop a mutu-
al understanding of the virtual platform, he
says. Together, these groups should develop
a common set of processes and strategies
that become the guidelines for virtual data
center functioning.
And the transition does not have to be
difcult. CIOs can embrace certain security
models to strengthen their virtualization
3
20%
savings within the
federal government in
its IT budget through
virtualization
2012 MeriTalk survey
V
i
r
t
u
a
l
i
z
a
t
i
o
n
Securing a virtual environment:
Five major requirements
Limit who can design, create and implement virtual environments. Do not allow 1.
departments, organizations or partners to develop even test virtual environment
without IT involvement.
Require standards, such as policies, systems and applications images, access controls, 2.
patch management, data security congurations, naming and addressing conventions.
Require physical segmentation for security requirements. 3.
Require physical separation of data across multiple clients, as well as personally 4.
identiable information (PII) sets.
Purchase special tools and applications to monitor systems and applications 5.
communications, which occurs between virtual devices.
John Irvine, CIO of Prescient Solutions, provided ve tips for defending
virtualized environments.
www.scmagazine.com |
2013 Haymarket Media, Inc.
4
$5B
in savings annually by
2015 from the govern-
ments transitioning to
server virtualization
and cloud computing
storage.
2012 MeriTalk survey
security, says Stan Yarbrough, a consultant
with Datalink, based in Minneapolis. Mov-
ing from physical to virtualized security is
viable and easy, he says. And, aligning the
security management functions within the or-
ganization to embrace newer security models
can signicantly reduce costs, he says. Using
security models that consider virtualized
technology and data protection can acceler-
ate the move to cloud technologies. Physical
security models greatly limit the capability to
create scalable infrastructure.
Yarbrough adds that virtualization allows
servers to become easily mobile among data
centers and can be distributed as needed
based on workload requirements and secu-
rity requirements. A software development
organization can ensure that new develop-
ment take place in highly secure private data
centers, and, once released, can be moved to
other data centers for deployment or access
by customers, he says. Virtualization can
allow internal servers and DMZ servers to
share the same system resources with a very
high level of security controls, including
intrusion prevention and rewalling. It is
possible to build highly scalable, multi-ten-
ancy environments with less cost and greater
operational controls.
Access, control and permissions
Access, control and permissions play impor-
tant roles in achieving solid virtualization
security. This process begins with skill in
managing the resources that will be servic-
ing and maintaining the VMs. PwCs Love-
land says organizations should implement
role-based access control for administrative
capabilities to limit user access and to moni-
tor the number of VMs in the organization.
This also provides a process for patching and
maintenance schedules.
Risks are mostly the same as non-VM
implementations with respect to the logical
system-level related issues, but additional
considerations are required for VM admin
setup and processes related to security and
operational access, says Alon Israely, a
licensed attorney and certied information
systems security professional, who leads the
strategic partnerships for New York-based
BIA (Business Intelligence Associates), a rm
he co-founded. These additional consider-
ations include, for example, access to shut
down or initiation of a virtualized system,
access to and management of licenses (OS or
app licenses), underlying infrastructure access
and control, and IT and HR policies.
The administrative process of authorizing
and documenting roles and permissions is an
important part of security management in a
virtualized environment. Authorization and
proper documentation of changes to any of
the roles and permissions for administrators
can have a detrimental impact on the risk of
virtual machine infrastructures, says Steve
Barone, the founder and CEO of Creative
Breakthroughs, a Troy, Mich.-based IT ad-
visory services rm. Controller access
to the VMs via proper lockdown of the privi-
leges should be maintained at all times, and
controlled access to the virtual environments
should be ensured to reduce code exploitation
through malicious software attacks.
As virtualization becomes more common,
its security will continue to challenge IT lead-
ership. However, there are many management
actions and steps that can be taken to bolster
data protection and improve the utility of
virtualized servers. CIOs and IT managers
should approach security management by
viewing and evaluating, from a systematic
viewpoint, the virtual environment they are
controlling. With any virtualization initia-
tive, it is essential to dene an evaluation
framework to enable a systematic, structured
V
i
r
t
u
a
l
i
z
a
t
i
o
n
www.scmagazine.com
|
2013 Haymarket Media, Inc.
Moving from physical to virtualized
security is viable and easy.
Stan Yarbrough, consultant, Datalink
5
37%
of the federal IT work-
load today is done on
virtualized servers
2012 MeriTalk survey
and thorough systems view, says Loveland.
Extend your existing security solutions
to cover the virtualized environments and
have an independent layer handle the virtual
environments security, on top of OS security,
network security and application security.
Firewalls and scans, he adds, should be de-
ployed and conducted on a separate layer that
cannot be reached by the OS. Continually
monitor the virtual network and implement
the same security standards used on physical
machines, he says.
As well, it is important to build an overall
security strategy with accompanying archi-
tecture to implement it. We strongly recom-
mend that you should have an overall securi-
ty strategy and architecture, Loveland says.
Addressing security for a specic technology
or component is not a good approach. Secu-
rity needs to be addressed proactively, before
new technology is introduced.
As the virtualization of private data centers
expands and matures, cloud computing es-
pecially the public cloud will drive security,
says Shaun Donaldson, director of alliances
at Bitdefender, a Bucharest, Romania-based
anti-virus vendor. Public cloud adoption is
accelerating, and private cloud is a future that
virtualization vendors wish upon all of their
customers, he says. Organizations today
are concerned less with asking whether or not
they will virtualize or use public cloud, but
rather: How do we do it?
The acceptance of in-house cloud, public
cloud, and hybrids of the two, will continue
to accelerate, he adds. Also, the future of
security involves planning for the data center,
rather than safeguards being bolted on after
the fact. Security practitioners would be
well served by anticipating data center trends,
Donaldson says. Security cannot be the
missing link. In the next three to ve years,
security must be architected to operate on
multiple hypervisors, interact with different
management and orchestration platforms
and, above all, take advantage of the oppor-
tunities that hypervisors provide. Q
Virtualization security: A CIOs perspective
Jerry Irvine is CIO of Prescient Solutions,
an IT consultancy based in Chicago. He
provides strategic direction on all IT matters
to his rms client companies, as well as to
Prescient. We spoke with him to understand
his views on virtualization security in todays
IT landscape:
SC: Can you tell us about your experience
with virtualization and virtualization secu-
rity projects? What sort of challenges have
your clients brought to you in this topic?
Jerry Irvine: While security is always a major
concern, it becomes even more challenging
when supporting environments designed to
house multiple concurrent clients accessing
disparate applications via the same physical
server, data storage solution and communica-
tions link.
Legacy security solutions began with the
principle of physical segmentation. Since the
advent of shared services application service
providers, software-as-a-service, and now the
cloud security can no longer be maintained
via the separation or segmentation of physi-
cal perimeters. Security must now be enabled
throughout the system environment from
the development of access controls, operat-
ing systems and applications, as well as some
form of physical security. Nevertheless, as a
result of virtualization, the focus of IT secu-
rity has shifted from device- and perimeter-
based security to data security.
SC: Can you cite some examples of
the dangers of intrusion and breaches in a
virtualization setting?
JI: Many intrusions and breaches
can continue to be traced back to the lack of
denition and implementation of standards,
policies and procedures, even in a virtual
environment. After implementation of virtual
servers and systems, many companies begin
over-virtualizing. Creating separate appli-
cation and systems environments in multiple
virtual systems is commonplace, even when
V
i
r
t
u
a
l
i
z
a
t
i
o
n
www.scmagazine.com
|
2013 Haymarket Media, Inc.
the development of another virtual server is
not justied. This over-virtualization cre-
ates even greater complexity, making com-
plete systems documentation more time-con-
suming, difcult and improbable. As a result,
standard management and update procedures
are not put into place for all systems. This
ultimately leads toward server infestation
with malicious applications, causing loss or
corruption of data, systems outages and com-
plete remote control of systems from external
malicious entities. Additionally, lack of train-
ing in virtual systems is most likely the larg-
est cause for malicious access and actions.
SC: What are some of the greatest miscon-
ceptions about virtualization security from
your perspective?
JI: The most common misconception of
virtualization is that individual virtual
devices within a common physical environ-
ment are segmented and secure from the
other applications and communications
occurring on those other virtual devices.
Similar to the misconception that physical
segmentation of servers on common net-
works is secured from the applications and
communications occurring on those other
physical servers. This is never true. Com-
munications between virtual servers and/
or their applications can traverse across the
physical backplane as easily as communica-
tions can occur between physical devices
connected on common network backplanes.
SC: Are there particular congurations that
CIOs can implement to strengthen their vir-
tualization security?
JI: It is important to understand application
access requirements and classify them based
on needs of both the systems and data. Just
like DMZ segmentation of network infra-
structure, devices should be implemented
with separate physical devices, and applica-
tions requiring only internal access ideally
should be separated, both virtually and
physically, from publically accessible systems.
Merely segmenting internal and external
applications virtually without physical
segmentation could allow malicious ap-
plications to traverse the virtual backplane,
corrupting or losing data and causing systems
outages or providing complete control of the
internal systems. Q
For more information about ebooks from
SC Magazine, please contact Illena Arm-
strong, VP, editorial, at illena.armstrong@
haymarketmedia.com.
6
64%
of state-and-local
respondents say server
virtualization takes
priority over desktop
virtualization.
2012 MeriTalk survey
V
i
r
t
u
a
l
i
z
a
t
i
o
n
www.scmagazine.com
|
2013 Haymarket Media, Inc.
It is important to understand
application access requirements
and classify them based on needs...
Jerry Irvine, CIO, Prescient Solutions
7
S
p
o
n
s
o
r
s
M
a
s
t
h
e
a
d
F5 is the leader in ADC technologies. F5 security solutions provides
data center rewall services, simplies and unies access control,
secures and accelerates remote access, and protects emailall while
enhancing network and application performance. Leading organization
trust F5 for the tailored security they need, and the reliable, exible
access their users demand.

For more information, visit www.f5.com
E0lT0PlAL
MG#<;@KFI@8C lllena ArmsLrong
illena.armsLronghaymarkeLmedia.com
<O<:LK@M<<;@KFI 0an Kalan
dan.kalanhaymarkeLmedia.com
D8E8>@E><;@KFI Creg HasLers
greg.masLershaymarkeLmedia.com
0ESlCN AN0 PP00uCTl0N
8IK;@I<:KFIHichael SLrong
michael.sLronghaymarkeLmedia.com
GIF;L:K@FED8E8><IKrassi \arbanov
krassi.varbanovhaymarkeLmedia.com
u.S. SALES
MG#J8C<J0avid SLeifman
(G4G) G88G008 david.sLeifmanhaymarkeLmedia.com
I<>@FEJ8C<J;@I<:KFIHike Shemesh
(G4G) G88G0IG mike.shemeshhaymarkeLmedia.com
N<JK:F8JKJ8C<J;@I<:KFIHaLLhew AllingLon
(4I5) 84GG4G0 maLLhew.allingLonhaymarkeLmedia.com
8::FLEKD8E8><I0ennis KosLer
(G4G) G88G0IO dennis.kosLerhaymarkeLmedia.com
J8C<J&<;@KFI@8C8JJ@JK8EKPoo howar
(G4G) G88GI04 roo.howarhaymarkeLmedia.com
www.scmagazine.com
|
2013 Haymarket Media, Inc.
Bitdefenders Security for Virtualized Environments (SVE) eliminates
the traditional requirement of installing full antivirus clients on all
virtual machine. Bitdefender provides a virtual appliance which
reduces costs while maximizing consolidation ratios in Windows,
Linux, and Solaris environments. Bitdefender SVE provides integrated
protection for VMware, Citrix Xen, Microsoft Hyper-V and more.

For more information, visit http://enterprise.bitdefender.com
Virtualization
Security
will never
be the same
Try the most
advanced security
for VMware
on the market
Our centralized antivirus
appliance integrates with
vShield 5, Citrix XenServer and
Microsoft Hyper-V to maximize
consolidation ratios while
providing maximized protection
for Windows, Linux and Solaris
environments.
Try it NOW!
Click Here To
ARE YDUR APPS SAFE?
Find out with a free security scan from F5.
F5 and Cenzic
Cenzic provides application security to continuously
assess cloud, mobile, and web vulnerabilities, helping
organizations of all sizes protect their reputations.
Cenzic solutions are used in all stages of the software
development lifecycle, but most importantly in
production, to protect against new threats for the life
of the application.
Quick, exible solution: Available as a cloud-based
subscription with self- or managed-service options
with nothing to install.
Consolidated management: Tight API integration
with F5 lets you assess and block vulnerabilities directly
from the BIG-IP ASM GUI.
Immediate, accurate results: Cenzic security produces
automated, near-instantaneous results with minimum
false positives.
Clear, efcient reporting: Web-based dashboards
and a prioritized vulnerabilities list with risk score
provide easy insight into your security environment.
For more information about Cenzic, visit cenzic.com.
F5 and WhiteHat Security
WhiteHat Security provides website risk management
solutions that protect data, ensure compliance, and
narrow the window of risk. The WhiteHat Sentinel product
family is a website vulnerability management solution
that delivers the visibility, exibility, and control you
need to prevent attacks.
Continuous protection and support: Ongoing testing
keeps up with website changes, and vulnerabilities
are veried by WhiteHats Threat Research Center (TRC)
team who helps you understand and remediate
vulnerabilities.
Accurate results: The TRC veries vulnerabilities to
ensure accuracy, enable BIG-IP ASM to act immediately
on ndingsand save you time and resources.
Comprehensive coverage: Scanning automation
plus TRC expertise and management provides high
scalability and transparency.
Production-safe methodology: Production-safe
testing allows you to assess your site continuously
without interfering with customer or business partner
processes.
For more information about WhiteHat Security, visit
whitehatsec.com.
Take advantage of F5s joint solutions with Cenzic and WhiteHat Security to nd application
vulnerabilities and patch them immediately. Schedule a free scan with your choice of Cenzic
or WhiteHat Sentinel software to see how you can reap the benets.
t Improve enterprise security with Dynamic
Application Security Testing.
t Quickly mitigate risks via integration with F5

BIG-IP

Application Security Manager (ASM).

t Reduce your organizations risk exposure
with an easy and cost-effective combined solution.
t Protect your apps from the OWASP Top Ten
vulnerabilities while achieving compliance.
Visit interact.f5.com/freescan.html to assess your apps today.
2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identied at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or afliation, express or implied, claimed by F5. CS00-00083 0113
CS00-00083_Free Scan Promotional Flyer-SCad.indd 1 1/8/13 11:53 AM