|
Three Key Topics when Securing VMWare Environments Virtualization provides tremendous potential to optimize power, cooling, and data centers operations. Benefits are high, and so are the risks. Co-mingling production & non-production servers, ensuring network-based countermeasures are still functioning as intended, and provisioning are just a few of the issues which need to be addressed during planning, acquisition, and deployment of virtual systems and architectures.
1- Production Vs. Development Environments If your organization develops, in-house or outsourced, custom applications you may have several environments used to test and promote code to production operations. Quality Assurance (QA), Development (DEV), User Acceptance Testing (UAT) and Integration are a few of the environments we find in many organizations. Both from an audit and control perspective, and that of resource utilization, the controls surrounding production systems are often greatly different than those protecting the lower environments. This facilitates a smaller set of in-scope systems for the auditor. This also means not as many countermeasures need to be purchased, and maintained- costs are therefore reduced. Some organizations look to consolidate these various environments within the same hypervisor. While this looks great architecturally, it does not bide well for the auditor looking to determine scope. Remember the auditor may have limited technical depth. Describing why systems sharing the same hardware, and using Virtual LANs (VLANs) for segmentation is often an uphill battle for the technical challenged. Equally, the auditors with significant technical background may pose that a hypervisor does not provide adequate segmentation between environments. Based on these burdens I generally recommend a different hypervisor for production versus non-production systems. The risk of expanding the audit versus purchasing another physical machine generally makes it prudent to clearly segment the lower environments.
2- Network-Based Countermeasures Many network based countermeasures are intended to monitor network traffic to evaluate content for potential issues. Often Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Data Loss Prevention (DLP), and Content Filtering software are architected based on the premise the tool will be able to see all traffic going between two points. Should connections take place between virtualized systems these will go un-noticed and bypass the network-based countermeasures. If you are using these types of countermeasures make sure you have compensating controls within the virtual environment to maintain the level of control intended. 3- Migrating storage? Use the migration to reduce risk Moving, or migrating SAN storage is a common activity combined with virtualization- it makes sense. As you migrate the terabytes of data, you will have a moment in time where you speculate about the amount of duplicate, erroneous, useless, and improperly stored data you are migrating. Regulations are intensifying, E-Discovery is on the rise, and budgets are tightening. Reduce cost & risk during the project. Data Loss Prevention and de-duplication are two areas where prudent executives dig-in to drive additional value from the budget. Virtualization is a great technology. I am a huge proponent, and have even created open-source virtualized solutions to help organizations on a limited budget. The benefits are obvious- the destination is clear. Make sure to prudently spend and mitigate cost during this project. Many managers want to depict their prudent stewardship of organizational assets- leverage virtualization combined with a solid architecture to ensure success and maximize results from your budgeted efforts. |
The News
