Last month we posted the first part of a conversation with Eric Chiu, co-founder and president of HyTrust, to discuss the state of virtualization security. This is part 2 of that conversation.
Q: What tips do you have for enterprises as they approach virtualization security?
A: The biggest one is avoiding the "ready, fire, aim" approach. That's where you start virtualizing test/dev and other non-critical applications, but quickly expand to Tier 1 applications before the security and compliance requirements for these mission critical apps are well understood and addressed. We often hear that the VMware operations team didn't bring security or compliance staff into planning discussions until something went seriously wrong or the virtualization project is put on hold until security requirements are met.
If these groups collaborated more up-front, they could understand and meet the security needs of higher tier workloads from the get-go. Then they could virtualize more workloads faster and get bigger financial returns from virtualization sooner.
Q: Do you think virtualization security needs are overlooked because enterprises believe their existing data center defenses are enough?
A: Definitely - that's a common assumption, even though it's misguided. But to be fair, once we explain virtualization-specific vulnerabilities that aren't addressed by traditional security measures, most customers "get it" pretty fast.
For instance, we'll go through scenarios of how VMware users can accidentally or intentionally cause major downtime or other damage. This is regardless of the legacy access controls in place. Virtualization veterans typically understand this and the implications for their mission critical workloads. Actually, some folks claim that all their privileged users are 100% trustworthy and won't make any costly mistakes. The problem is that compliance auditors and CSOs usually aren't as trusting.
Q: Since you mention auditors, how does virtualization affect compliance audits?
A: A large part of compliance is being able to track the actions of users with access to sensitive data, and of course control those actions. In fact, access control is a key element of PCI, HIPAA, FISMA, SOX ... basically, all the major regulations. It's as necessary to have it for virtualized tier 1 workloads as it is for the traditional data center.
To meet auditor requirements, you need to log every attempted admin operation and tie every action to a specific privileged user. You also need an automated way to compile all the logs from all the vSphere hosts in a uniform format.
Many people don't realize that the VMware platform doesn't do these things for them. It's actually really eye-opening to see all the standard audit and compliance data that isn't provided. In addition to not getting unique user IDs for every record, you don't get logs of denied or failed admin requests, source IP addresses, basic details around reconfiguration of resources like virtual switches, and so on.
To make matters worse, the platform's logging mechanisms can be easily bypassed in various ways, such as direct-to-host admin connections. It's also a huge manual chore to aggregate the log data from all the ESX and ESXi hosts as well as vCenter. The fact that CA ControlMinder for Virtual Environments captures and compiles all that missing compliance data automatically is one of its biggest selling points.
Q: We've covered some of the big "do's" and "don'ts" of virtualization security. In a prior discussion, you mentioned an overall strategy or framework based on four "must have" security functions. What are the four "must haves"?
A: The four "must haves" are the set of virtualization-optimized solutions that industry analysts and experts recommend enterprises need to have in order to build out a secure cloud infrastructure. The four category areas are access control and account management; network and endpoint security; configuration management and hardening; and SIEM and log management.
These four areas are key because they give you the fundamental controls and protections that companies need to ensure corporate governance, security and regulatory compliance requirements are met. Our customers are requiring all of these functions to be met and are specifically looking for virtualization-optimized solutions to address these needs given that more of the datacenter is now virtualized. This ensures that the solutions address the unique characteristics and dynamics of virtualized cloud environments and are optimized to provide greater efficiencies and consolidation ratios.
Going forward, many companies need to consolidate their datacenters further in a multi-tenant cloud environment given that physical "air-gapping" reduces the ROI benefits of virtualization. Combine this with the move towards a software defined datacenter and security needs to be automated and policy-driven to address all of these needs.