Q&A: Security for Virtual Environments

Virtualization brings a new set of security challenges.

Among the new challenges of a virtualized environment is security. As more servers are added quickly, IT finds that some mission-critical servers have limited visibility and control of the environment.

We examine how IT is coping, what tools IT pros are using, and suggest the best approach for troubleshooting problems with Hezi Moore, the co-founder of Reflex Systems, a firm that Reflex Systems helps organizations accelerate adoption of virtualized data centers.

Enterprise Strategies: How do security issues differ between physical and virtual environments?

Hezi Moore: Organizations leveraging virtualization technology are dealing with very dynamic environments that may be managed by multiple departments. Administrators are able to add more servers and do so faster and with fewer eyes on them and fewer controls in place. In contrast, physical servers are typically stationary; in the same place, the same rack, and with very little mobility.

From a server perspective, there really are no changes in security from physical to virtual environments. However, the process has changed and it is necessary to manage the process and the virtual infrastructure a little differently as it relates to security.

While virtualization provides significant cost and operational benefits for organizations, it introduces several new security challenges that traditional physical security devices cannot address. Unfortunately, many mission-critical servers are not leveraging the benefits of virtualization because of limited visibility and control inside the virtual network, plus the need to:

  • Meet stringent compliance regulations
  • Effectively monitor a dynamic environment
  • Maintain secure configuration
  • Protect against internal and external threats

Let me explain each of these points in order.

There are secure management and policy enforcement limitations in a virtual environment because of limited visibility and control. Since you can't control what you can't see, visibility is key to managing, monitoring, and securing this virtual infrastructure. Administrators need a logical visual representation of their virtual environment to understand their virtual network and track changes that could lead to security risks.

To take advantage of virtualization and adopt and deploy "defense in depth" best practices without the traditional high costs and complexities of physical infrastructure, administrators need the tools to efficiently meet stringent compliance requirements. Standards such as PCI, SOX, HIPAA, and GLBA require organizations to monitor all traffic and events on critical servers as well as maintain appropriate data security procedures, controls, and auditing capabilities. Virtualization requires an added layer of security to meet these regulations.

Virtualization creates an invisible dynamic environment where servers and applications area easily moved around and managed by multiple departments. This type of virtual infrastructure can create issues not common in physical environments, such as server mobility, server sprawl, unknown infrastructure changes, and cross-functional management controls.

To maintain secure configuration in virtual environment, organizations need the ability to track all infrastructure changes in real time as well as historically to identify unauthorized configuration changes and configuration errors as well as to enforce policies across the entire virtual network infrastructure. The management of physical infrastructure is historically more segmented into traditional roles (such as network administration, security, and infrastructure). Virtualization deployments span multiple organizational departments that need access to the virtual infrastructure. This reinforces the need for visibility to monitor all changes and monitor and maintain configurations.

Finally, there are the traditional security threats that impact the physical and virtual datacenter such as Trojans, Worms, malware, etc. Although external threats are present, Inter-VM attacks are a greater concern within virtual environments.

From your answer, it sounds like the issues cross management and security areas.

Yes, virtualization is forcing companies to look at the organizational structure and determine how best to define roles and responsibilities in relation to the virtual infrastructure. Because of the dynamic nature of virtualization, many of the new challenges that may have security implications (such as server sprawl, server mobility, configuration, and infrastructure changes) can be caused simply by cross-functional management and administration. The virtual infrastructure management must be tied back to security and how any changes or events within the environment can impact your entire business.

How is IT coping today with security issues in virtualized environments?

The short answer is; many are not. Physical security devices residing outside the virtual infrastructure may be able to provide basic levels of security to the physical network, but they do not provide the visibility and control within the virtual infrastructure that is needed to address new virtualization challenges. Many companies are trying to use the same methodology and tools in the virtual environment that are typically used in physical environments and this will not work.

In a physical environment, there are many physical controls in place when making a change or addition to the network -- hardware purchase, coordination with various departments to access routers, switches, physical space to rack the servers, run cables, and so on. Utilizing virtualization, one person can do all of this in a matter of minutes, bypassing all the physical controls that exist in the physical environment. This increases exposure to risks caused by server mobility, server sprawl, and unauthorized configuration. There is a need for a purpose-built solution designed for virtualization that can address these unique challenges.

IT teams are also still trying to understand how the various roles (networking, security, and virtualization) play a part in the virtualization deployment and how that can impact the security. Organizations are looking for tools to help bridge the gap between security and management of the virtual infrastructure. Currently virtualization platforms are not designed to support cross-functional management, the virtual network, and the infrastructure. Although virtualization providers are working to improve this, virtualization security management tools can provide the level visibility, administration, auditing, and enforcement points to be able to address security in the virtual environment and provide overall datacenter security.

Let's drill down into security and virtualization. What tools does IT use to understand the impact a security "fix" will have on the environment, including changes to the network?

As I said earlier, you can't secure what you can't see, and organizations need to look at security in context to the virtual environment. Some of their configuration management tools that were designed for physical infrastructure are being used in the virtual environment, but they are still focused on the server level, not in context with the overall security posture of the virtual environment.

This dynamic virtualization environment can't be monitored with the existing tools that are designed for the physical environment and administrators are unable perform forensics about particular events. Administrators need the ability to monitor the virtual environment, understand it, replay what happened, and see what the environment looks like at any given time to determine the best way to troubleshoot and control the environment.

What's the best way for IT to go back and troubleshoot a problem in a virtualized environment?

Today, when an event occurs, there is a need to troubleshoot and go back to a certain point in time to understand what happened to cause the event. Many times this need is driven by compliance regulations. Currently, in the virtual environment, the only way to troubleshoot and perform forensics is to physically review change logs (if they are being recorded) and manually filter through the information to reconstruct what the network may have looked like at the time of the event based on assumptions.

For example, if a server lost connectivity a week ago and the IT department just found out about it, they would need to determine what the network looked like before the event and understand what changed in the network to cause the event.

Because this process is manual and time consuming, many companies don't actually do the work to determine what caused the issue. IT departments need a tool that shows a visual representation of the virtual environment as well as real time and historical reporting to show what changed, who changed it, when it was changed, what happened from a network perspective to cause the event, and how this event relates to the security of the entire network infrastructure.

What does Reflex offer in the way of tools or services that helps IT better understand its virtualized environment?

Reflex System's VMC, our virtual security management solution, provides customers a comprehensive and cost-effective means to solve these ever-growing virtual datacenter security challenges and needs.

VMC provides comprehensive security and visibility to the virtual environment. Reflex VSM combines Reflex's Virtual Security Center (VSC) and award-winning Virtual Security Appliance (VSA) to secure, audit, and control the virtual infrastructure by providing unmatched visibility, network security and policy enforcement to protect virtual machines, networks and the underlying host of the virtualization platform. This allows organizations to provide appropriate security to virtual machines that would otherwise be exposed.

We also offer Reflex Virtual Security Center (VSC), which provides single authoritative visual interface and central management for up to thousands of Reflex VSA instances so users can administer, secure, and monitor the virtual infrastructure. Through extensive real-time and historical visual reporting, Reflex VSC gives administrators the tools they need to efficiently meet stringent compliance requirements.

Finally, Reflex Virtual Security Appliance (VSA) provides security controls by integrating firewall, deep packet inspection, reporting, application awareness, and change control into a complete virtual security solution. It can safeguard communications between virtual components and resources outside the host machine, putting a complete security perimeter around and between virtual machines and reducing the risk of virtual machine intrusion, infection, compliance violations or other consequences. There are multiple deployment options for Reflex VSA depending on business need.

Must Read Articles