Published: November 01 2011, 10:42 AM | no comments
by Nimrod Vax

It's always interesting to see how different U.S. and European conferences are. VMworld Europe was probably the largest IT conference I've seen in Europe with around 5,000 attendees and it was located in Copenhagen - one of the most beautiful cities in Europe. Having been at VMWorld in Las Vegas in August, it was refreshing to see genuine scenery!

I came along for the ride in support of the launch of our new product "CA Access Control for Virtual Environments," which manages privileged access to virtual and cloud computing environments. Security was a major theme at the show, with multiple security-related sessions presented both by VMware and its vShield ecosystem of partners - CA included. VMware did a great job in promoting these partnerships as can be seen on VMWorld TV. I had the pleasure of presenting a session with our partners VMware and HyTrust titled, "PCI Compliance with CA, HyTrust and VMware." In this session, we highlighted some of the new considerations that are introduced by virtualization as they relate to identity management and compliance, specifically PCI, and how our new solution helps to solve those issues.

While there is a wide set of security solutions being offered for virtual environments today, most of them are focused on external threats. There are very few solutions using an identity management approach, and that focus on the administrators of these environments. A recent breach that had occurred at a pharmaceutical company by a virtualization administrator illustrates the power these administrators have and the impact they can leave on a business. In this incident, a disgruntled administrator allegedly logged into the network from a Wi-Fi hotspot and within minutes deleted 88 virtual servers running the most sensitive applications, practically shutting down the business for a week, causing damages of $800,000. Virtualization introduces a new layer that needs to be secured and administered. This new infrastructure provides administrators with full visibility into the virtual data center but also break the traditional walls between system, network, and storage administration. In the past we had servers in the server room, and switches in the network room. Now everything is accessible within vCenter. So the physical controls we had in the past now need to be replaced by IT controls. Also, the virtual datacenter relies heavily on VM templates to streamline the provisioning process. VMs that are cloned from these templates will use the same local administrative credentials. These local administrative accounts have full control over the VMs and are typically known to the virtualization administrators.  

The additional administrative layer is not all that is new. The primary driver we see today for virtualization projects is the relentless push to cut costs. In the early days it was the capital expenses that were reduced by consolidating hardware and space; today, we are seeing more emphasis on automation that drives operational cost down. Every new datacenter today is being built as a fully automated, self-service, private cloud. With that in mind, any solution that cannot be automated will be set aside, including security. Additionally, virtualization offers capabilities that allow IT to gain much better visibility into its environment, automate it better, and simplify security products to run without the need to install local agents.

So why not leverage these capabilities also in your security solution? This additional visibility and automation is especially important when having to deal with the dynamic nature of these environments. This drives the need for a virtualization-aware solution that has visibility into the virtual environment and can help automate security control and benefit from the unique capabilities that VMware's virtualization technologies offer through specific vCenter and vShield APIs.

The latest incidents and the continued education of the compliance community have brought virtualization to the forefront of the governance frameworks and regulatory committees. We have seen recent interest from NIST who had issued a guide for securing virtual environments  and in June, the Virtualization Special Interest Group for PCI Security Standards Council published the PCI DSS virtualization guideline with specific clarifications and guidelines  on how PCI compliance should be achieved in virtual environments.

These industry evolutions have an increasing impact on our customers. As they become more virtualized and as more business critical and sensitive applications are being moved into the virtual environments, the security and risk organizations are becoming involved and demanding the same level of control they had in the physical world. Additionally, with the new guidelines being put in place, organizations are seeking ways to reduce the scope of compliances in their virtual datacenter: Do all of the virtual servers need to be included? Can high risk VMs and low risk VMs share the same infrastructure (referenced as ‘mixed mode' in PCI)? Lack of sufficient controls push many IT organizations to separate their virtual infrastructures for different level of risk (a.k.a. "air gapping"). This goes against the purpose of virtualization, which focuses on resource sharing. There is a need for compensating controls that improve the isolation of different groups of VMs and thus minimize air gapping and increase VM density. Furthermore, such controls can allow sharing of the infrastructure between different lines of business or different tenant in a true IaaS environment because of the additional level of isolation. We are seeing increasing demand by consumers of IaaS for increased assurances that proper controls are in place to separate their sensitive data and services from others who share the same infrastructure.

Greater visibility into the administrative activity is also a strong requirement for IT as visibility is reduced when moving into a managed service model - whether that service is private or public. A virtualization-aware solution can actually provide better visibility in such an environment because the virtual infrastructure reports on events that are not audited in the physical world, such as who connected a server to the network, or to storage, or who added memory or disk space to the server. Combining events that impact the VMs from the infrastructure side with events from within the VM itself and the applications running within it provide a more holistic view of the security and health of the service. These capabilities are much better than what can be provided in the physical world or by solutions that treat VMs just like any other machine.

Overall, these are not new problems. As long as there are people involved, the same problems of auditing actions and controlling access will remain. The new IT service model, the automation needs, and the underlying technology require us to adjust our solutions. If done properly, these solutions can actually increase the visibility and control in these environments and enable further savings.

Computer security image used under Creative Commons License courtesy of Mikey G Ottawa, original artist.