I recently had the opportunity to sit down with Eric Chiu, co-founder and president of HyTrust, to discuss the state of virtualization security. I will share that discussion with you on this blog.
CA Technologies partners with HyTrust, the leader in policy management and access control for virtual infrastructure. HyTrust empowers organizations to virtualize more-including servers that may be subject to compliance-by delivering enterprise-class controls for access, accountability, and visibility to their existing virtualization infrastructure. The HyTrust Appliance is a key component of CA ControlMinder for Virtual Environments.
Q: What is the current state of virtualization security adoption?
A: Security isn't a major issue in organizations that are content to limit virtualization to non-critical workloads that aren't subject to regulatory compliance or internal security requirements. There's always room for improvement, but if you don't have any desire to take virtualization farther you're probably OK with the security the virtualization platform provides.
These days, though, I think such enterprises are in the minority. Most IT executives love the cost savings they've achieved by virtualizing lower-tier workloads and want to take the next step. They want to virtualize their mission-critical apps and workloads subject to compliance requirements. Many are already doing so, but are realizing they don't have the necessary virtualization security and compliance tools in place. It's not that these organizations haven't done a good job with virtualization security. It's that they're discovering they have a major problem to solve before they can move forward.
We recently briefed the CISO and her team at a highly visible financial institution that has a strong push to virtualize higher tier workloads. They're subject to PCI and SOX, and when the CISO turned to her team and asked what they've done to address virtualization security gaps like access control and logging, the answer was "nothing."
What are the pain points that occur when virtualization security falls behind the needs of critical apps?
A: The biggest pain is the financial one of having to slow down your virtualization deployment when you realize you're not willing to accept a lower level of protection and compliance for your critical workloads in the virtual data center than you have in the physical one. This is the pain of lost cost savings, lower operational performance and resiliency, etc.
The flip side of this pain is if you've already begun virtualizing your production or in-scope apps and you realize you've opened yourself up to audit failures or big financial penalties or both. Most customers that buy CA ControlMinder for Virtual Environments are concerned about PCI, SOX, HIPAA, or other regulations, and one or the other of those pain points is usually on their mind when they make that decision.
That said, many of the enterprises that initially adopted our solution for compliance purposes are choosing to deploy it throughout the virtual infrastructure. They're now concerned more broadly about IT governance in the virtual environment. They see privileged user management as a core aspect of governance that should be consistent across their physical and virtual infrastructures.
You mentioned access control as a virtualization security gap. What's the issue in that area?
A: Privileged users of vCenter, ESX and ESXi hosts typically have powers that far exceed the capabilities of a physical server administrator. With a few clicks, they can create or destroy a VM [virtual machine], power it on or off, copy a VM image to a USB drive, shut down virtual security appliances, reconfigure virtual networking or storage ... the list goes on. On top of that, ‘root' account sharing is common and results in anonymous administrator activity and lack of accountability.
The gap is that the virtualization platform wasn't designed to enforce least privilege access policies or to segregate the duties of privileged users. All of the major regulations require these types of controls in one form or another for compliance. So if you've virtualized in-scope workloads without any other privileged user controls, you're likely in violation. Or maybe you held off virtualizing higher-tier workloads for that very reason. Either way, you're paying the price: with lost cost savings or higher risk of an audit failure or non-compliance penalties.
Stat tuned for Part 2 of this Q&A.