SlideShare a Scribd company logo

2_24551_Virtualization_SC_0113

J
Jim Romeo
1 of 9
Download to read offline
Sponsored by Virtualization Organizations considering virtualized platforms will have to examine their impact on overall security policy.
Moving to a virtualized implementation involves maintaining a culture of security diligence, reports Jim Romeo. W hen the City Council of Athens, Ala. convened in early 2013, Dale Hay- mon, the city’s director of informa- tion technology, delivered a presentation focused on how the municipality could save about $49,000 on energy and electricity costs, and facilitate its many IT processes by struc- turing servers and clients with virtualization. Although the promise of reduced costs has appealed to many in similar situations, security experts warn that a move to virtu- alization must not trump careful contempla- tion and scrutiny by today’s CIOs and IT leadership. Such a thorough examination must take into account the impact that virtualization will have on an organization’s overall security policy, the risk it imposes, how to mitigate such risk, how to implement access controls, and what best practices an organization can or should implement in its present IT environment. The risk of a virtualized environment begins with an awareness of the IT architec- ture, and the associated configuration and hardware that enable it. The largest risk for virtualization is having multiple operating systems and applications on a single host, says Brandon Meyer, an engagement man- ager with SWC Technology Partners, an IT consultancy based in Chicago. “In the event of a host failure, you are losing multiple ap- plications at once instead of a single one,” he says. “This is becoming a larger risk with better hardware that allows you to put more and more applications on a single host. It is not unheard of to have 30 to 40 or even 50 instances of virtual machines running on a single piece of hardware.” When evaluating that risk, one needs to look at the applications in use and deter- mine what the effects are if that host were to fail. For instance, he says, when one has a three-tier application, it doesn’t make sense to spread those tiers across multiple hosts. If one were to lose a tier, then access is lost to the entire application. “In this scenario, you want to set up rules within your virtualiza- tion hypervisor to keep all instances of that application on the same host,” Meyer says. “This way you have reduced the number of applications that will be down by 33 per- cent.” Users also need to evaluate that when load-balanced systems are in place, such as web front-ends, they are not all on the same host. When an implementation has multiple instances of a load-balanced application, administrators need to keep those instances off of a single host and make sure they are split across multiple hosts and storage arrays if possible, he says. With a single host, there are many virtual machines (VMs) that will be affected when security is breached. Specifically, the big- ger problem in a virtual environment is the far-reaching impact on the VMs associated with a single point of attack. “A compromise of the virtualization layer could result in the compromise of all hosted VM workloads,” says Gary Loveland, a principal and leader of PwC’s global security practice in Irvine, Ca- lif. “If the hypervisor is attacked, the hacker could have access to all data that flows across it, and could get into all of the VMs. On a typical hypervisor setup, workloads and dif- ferent VMs can be consolidated on the same physical server. That is becoming increasingly common for cost and power efficiency.” For example, he says, a physical server might be hosting a VM with a database that is sensitive content, and another VM might be hosting the front-end of the application. This can create challenges for compliance. The hypervisor requires patching, in which case all VMs would have to be brought down. So it’s not a single server that is at risk, but all the images along the chain. This all adds to the challenge in developing and implementing security policy designed to safeguard against intrusions. Security 2 Virtualization 80% of federal information technology leaders say their agencies have implemented some manner of server virtu- alization. – 2012 MeriTalk survey www.scmagazine.com | © 2013 Haymarket Media, Inc.
monitoring must take into account all of the virtual networks that exist. Loveland says the lack of visibility and controls on internal virtual networks can blind already existing security policy enforcement mechanisms. “Virtual servers are generally not monitored in the same way that physical servers are, and when VMs can communicate, it can create an invisible network,” he says. “You need all of the same controls – firewalls, sniffers, etc. – that would be used on a physical server inside the virtual network to monitor effectively.” As well, there is a potential loss of sepa- ration of duties for network and security controls. “When physical servers are col- lapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels,” he says. “Another area of concern is which group configures and supports the internal virtual switch.” Risk mitigation: Manage, validate and control For an IT manager, virtualization demands prompt mitigation in response to an inci- dent, and this is always a challenge for IT leadership. In fact, it is an ever-changing skill set and business practice that must adapt as security threats change and find their way into network infrastructure. For virtualized environments, risk mitigation begins with sound security policies anchored in a good understanding by all security team members within the enterprise. Loveland says VMS should be held to the same standards as physical machines, as they require the same separation and security controls. “Organizations should extend their policies, practices and technologies to man- age, validate and control the virtual infra- structure,” he says. “Monitoring and protect- ing each layer in the configuration is crucial to reducing the threat surface.” Additionally, virtualization security must begin with the security team and operations team working in tandem to develop a mutu- al understanding of the virtual platform, he says. Together, these groups should develop a common set of processes and strategies that become the guidelines for virtual data center functioning. And the transition does not have to be difficult. CIOs can embrace certain security models to strengthen their virtualization 3 20% savings within the federal government in its IT budget through virtualization – 2012 MeriTalk survey Virtualization Securing a virtual environment: Five major requirements Limit who can design, create and implement virtual environments. Do not allow1. departments, organizations or partners to develop even test virtual environment without IT involvement. Require standards, such as policies, systems and applications images, access controls,2. patch management, data security configurations, naming and addressing conventions. Require physical segmentation for security requirements.3. Require physical separation of data across multiple clients, as well as personally4. identifiable information (PII) sets. Purchase special tools and applications to monitor systems and applications5. communications, which occurs between virtual devices. – John Irvine, CIO of Prescient Solutions, provided five tips for defending virtualized environments. www.scmagazine.com | © 2013 Haymarket Media, Inc.
4 $5B in savings annually by 2015 from the govern- ment’s transitioning to server virtualization and cloud computing storage. – 2012 MeriTalk survey security, says Stan Yarbrough, a consultant with Datalink, based in Minneapolis. “Mov- ing from physical to virtualized security is viable and easy,” he says. And, aligning the security management functions within the or- ganization to embrace newer security models can significantly reduce costs, he says. “Using security models that consider virtualized technology and data protection can acceler- ate the move to cloud technologies. Physical security models greatly limit the capability to create scalable infrastructure.” Yarbrough adds that virtualization allows servers to become easily mobile among data centers and can be distributed as needed based on workload requirements and secu- rity requirements. “A software development organization can ensure that new develop- ment take place in highly secure private data centers, and, once released, can be moved to other data centers for deployment or access by customers,” he says. “Virtualization can allow internal servers and DMZ servers to share the same system resources with a very high level of security controls, including intrusion prevention and firewalling. It is possible to build highly scalable, multi-ten- ancy environments with less cost and greater operational controls.” Access, control and permissions Access, control and permissions play impor- tant roles in achieving solid virtualization security. This process begins with skill in managing the resources that will be servic- ing and maintaining the VMs. PwC’s Love- land says organizations should implement role-based access control for administrative capabilities to limit user access and to moni- tor the number of VMs in the organization. This also provides a process for patching and maintenance schedules. “Risks are mostly the same as non-VM implementations with respect to the logical system-level related issues, but additional considerations are required for VM admin setup and processes related to security and operational access,” says Alon Israely, a licensed attorney and certified information systems security professional, who leads the strategic partnerships for New York-based BIA (Business Intelligence Associates), a firm he co-founded. “These additional consider- ations include, for example, access to shut down or initiation of a virtualized system, access to and management of licenses (OS or app licenses), underlying infrastructure access and control, and IT and HR policies.” The administrative process of authorizing and documenting roles and permissions is an important part of security management in a virtualized environment. “Authorization and proper documentation of changes to any of the roles and permissions for administrators can have a detrimental impact on the risk of virtual machine infrastructures,” says Steve Barone, the founder and CEO of Creative Breakthroughs, a Troy, Mich.-based IT ad- visory services firm. “Controller access to the VMs via proper lockdown of the privi- leges should be maintained at all times, and controlled access to the virtual environments should be ensured to reduce code exploitation through malicious software attacks.” As virtualization becomes more common, its security will continue to challenge IT lead- ership. However, there are many management actions and steps that can be taken to bolster data protection and improve the utility of virtualized servers. CIOs and IT managers should approach security management by viewing and evaluating, from a systematic viewpoint, the virtual environment they are controlling. “With any virtualization initia- tive, it is essential to define an evaluation framework to enable a systematic, structured Virtualization www.scmagazine.com | © 2013 Haymarket Media, Inc. Moving from physical to virtualized security is viable and easy.” – Stan Yarbrough, consultant, Datalink
5 37%of the federal IT work- load today is done on virtualized servers – 2012 MeriTalk survey and thorough systems view,” says Loveland. “Extend your existing security solutions to cover the virtualized environments and have an independent layer handle the virtual environment’s security, on top of OS security, network security and application security.” Firewalls and scans, he adds, should be de- ployed and conducted on a separate layer that cannot be reached by the OS. “Continually monitor the virtual network and implement the same security standards used on physical machines,” he says. As well, it is important to build an overall security strategy with accompanying archi- tecture to implement it. “We strongly recom- mend that you should have an overall securi- ty strategy and architecture,” Loveland says. “Addressing security for a specific technology or component is not a good approach. Secu- rity needs to be addressed proactively, before new technology is introduced.” As the virtualization of private data centers expands and matures, cloud computing – es- pecially the public cloud – will drive security, says Shaun Donaldson, director of alliances at Bitdefender, a Bucharest, Romania-based anti-virus vendor. “Public cloud adoption is accelerating, and private cloud is a future that virtualization vendors wish upon all of their customers,” he says. “Organizations today are concerned less with asking whether or not they will virtualize or use public cloud, but rather: How do we do it?” The acceptance of in-house cloud, public cloud, and hybrids of the two, will continue to accelerate,” he adds. Also, the future of security involves planning for the data center, rather than safeguards being bolted on after the fact. “Security practitioners would be well served by anticipating data center trends, Donaldson says. “Security cannot be the missing link. In the next three to five years, security must be architected to operate on multiple hypervisors, interact with different management and orchestration platforms and, above all, take advantage of the oppor- tunities that hypervisors provide.” Virtualization security: A CIO’s perspective Jerry Irvine is CIO of Prescient Solutions, an IT consultancy based in Chicago. He provides strategic direction on all IT matters to his firm’s client companies, as well as to Prescient. We spoke with him to understand his views on virtualization security in today’s IT landscape: SC: Can you tell us about your experience with virtualization and virtualization secu- rity projects? What sort of challenges have your clients brought to you in this topic? Jerry Irvine: While security is always a major concern, it becomes even more challenging when supporting environments designed to house multiple concurrent clients – accessing disparate applications – via the same physical server, data storage solution and communica- tions link. Legacy security solutions began with the principle of physical segmentation. Since the advent of shared services – application service providers, software-as-a-service, and now the cloud – security can no longer be maintained via the separation or segmentation of physi- cal perimeters. Security must now be enabled throughout the system environment – from the development of access controls, operat- ing systems and applications, as well as some form of physical security. Nevertheless, as a result of virtualization, the focus of IT secu- rity has shifted from device- and perimeter- based security to data security. SC: Can you cite some examples of the dangers of intrusion and breaches in a virtualization setting? JI: Many intrusions and breaches can continue to be traced back to the lack of definition and implementation of standards, policies and procedures, even in a virtual environment. After implementation of virtual servers and systems, many companies begin “over-virtualizing.” Creating separate appli- cation and systems environments in multiple virtual systems is commonplace, even when Virtualization www.scmagazine.com | © 2013 Haymarket Media, Inc.
the development of another virtual server is not justified. This “over-virtualization” cre- ates even greater complexity, making com- plete systems documentation more time-con- suming, difficult and improbable. As a result, standard management and update procedures are not put into place for all systems. This ultimately leads toward server infestation with malicious applications, causing loss or corruption of data, systems outages and com- plete remote control of systems from external malicious entities. Additionally, lack of train- ing in virtual systems is most likely the larg- est cause for malicious access and actions. SC: What are some of the greatest miscon- ceptions about virtualization security from your perspective? JI: The most common misconception of virtualization is that individual virtual devices within a common physical environ- ment are segmented and secure from the other applications and communications occurring on those other virtual devices. Similar to the misconception that physical segmentation of servers on common net- works is secured from the applications and communications occurring on those other physical servers. This is never true. Com- munications between virtual servers and/ or their applications can traverse across the physical backplane as easily as communica- tions can occur between physical devices connected on common network backplanes. SC: Are there particular configurations that CIOs can implement to strengthen their vir- tualization security? JI: It is important to understand application access requirements and classify them based on needs of both the systems and data. Just like DMZ segmentation of network infra- structure, devices should be implemented with separate physical devices, and applica- tions requiring only internal access ideally should be separated, both virtually and physically, from publically accessible systems. Merely segmenting internal and external applications virtually – without physical segmentation – could allow malicious ap- plications to traverse the virtual backplane, corrupting or losing data and causing systems outages or providing complete control of the internal systems. For more information about ebooks from SC Magazine, please contact Illena Arm- strong, VP, editorial, at illena.armstrong@ haymarketmedia.com. 6 64% of state-and-local respondents say server virtualization takes priority over desktop virtualization. – 2012 MeriTalk survey Virtualization www.scmagazine.com | © 2013 Haymarket Media, Inc. It is important to understand application access requirements and classify them based on needs...” – Jerry Irvine, CIO, Prescient Solutions
7 Sponsors Masthead F5 is the leader in ADC technologies. F5 security solutions provides data center firewall services, simplifies and unifies access control, secures and accelerates remote access, and protects email—all while enhancing network and application performance. Leading organization trust F5 for the tailored security they need, and the reliable, flexible access their users demand. For more information, visit www.f5.com www.scmagazine.com | © 2013 Haymarket Media, Inc. Bitdefender’s Security for Virtualized Environments (SVE) eliminates the traditional requirement of installing full antivirus clients on all virtual machine. Bitdefender provides a virtual appliance which reduces costs while maximizing consolidation ratios in Windows, Linux, and Solaris environments. Bitdefender SVE provides integrated protection for VMware, Citrix Xen, Microsoft Hyper-V and more. For more information, visit http://enterprise.bitdefender.com
Virtualization Security will never be the same Try the most advanced security for VMware on the market Our centralized antivirus appliance integrates with vShield 5, Citrix XenServer and Microsoft Hyper-V to maximize consolidation ratios while providing maximized protection for Windows, Linux and Solaris environments. Try it NOW! Click Here To
Find out with a free security scan from F5. F5 and Cenzic Cenzic provides application security to continuously assess cloud, mobile, and web vulnerabilities, helping organizations of all sizes protect their reputations. Cenzic solutions are used in all stages of the software development lifecycle, but most importantly in production, to protect against new threats for the life of the application. Quick, flexible solution: Available as a cloud-based subscription with self- or managed-service options— with nothing to install. Consolidated management: Tight API integration with F5 lets you assess and block vulnerabilities directly from the BIG-IP ASM GUI. Immediate, accurate results: Cenzic security produces automated, near-instantaneous results with minimum false positives. Clear, efficient reporting: Web-based dashboards and a prioritized vulnerabilities list with risk score provide easy insight into your security environment. For more information about Cenzic, visit cenzic.com. F5 and WhiteHat Security WhiteHat Security provides website risk management solutions that protect data, ensure compliance, and narrow the window of risk. The WhiteHat Sentinel product family is a website vulnerability management solution that delivers the visibility, flexibility, and control you need to prevent attacks. Continuous protection and support: Ongoing testing keeps up with website changes, and vulnerabilities are verified by WhiteHat’s Threat Research Center (TRC) team who helps you understand and remediate vulnerabilities. Accurate results: The TRC verifies vulnerabilities to ensure accuracy, enable BIG-IP ASM to act immediately on findings—and save you time and resources. Comprehensive coverage: Scanning automation plus TRC expertise and management provides high scalability and transparency. Production-safe methodology: Production-safe testing allows you to assess your site continuously without interfering with customer or business partner processes. For more information about WhiteHat Security, visit whitehatsec.com. Take advantage of F5’s joint solutions with Cenzic and WhiteHat Security to find application vulnerabilities and patch them immediately. Schedule a free scan with your choice of Cenzic or WhiteHat Sentinel software to see how you can reap the benefits. Improve enterprise security with Dynamic Application Security Testing. Quickly mitigate risks via integration with F5® BIG-IP® Application Security Manager™ (ASM). Reduce your organization’s risk exposure with an easy and cost-effective combined solution. Protect your apps from the OWASP Top Ten vulnerabilities while achieving compliance. Visit interact.f5.com/freescan.html to assess your apps today. ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS00-00083 0113

Recommended

Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture IJECEIAES
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloudkairostech
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityArunvignesh Venkatesh
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 

Recommended

Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture IJECEIAES
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloudkairostech
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityArunvignesh Venkatesh
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016Karla Sasser, CPA CITP, CIA, CGMA
 
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...ijcncs
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slidesharePeter HJ van Eijk
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...ijcncs
 
Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Основна школа "Миливоје Боровић" Мачкат
 
CC_ SECURITY ISSUES by a_khoshnoudi @IUST
CC_ SECURITY ISSUES by a_khoshnoudi @IUST CC_ SECURITY ISSUES by a_khoshnoudi @IUST
CC_ SECURITY ISSUES by a_khoshnoudi @IUSTislamic republic of iran Railway
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assignRonald Jackson, Jr
 
Performance Enhancement of VNSIP approach, using MCAC algorithm
Performance Enhancement of VNSIP approach, using MCAC algorithmPerformance Enhancement of VNSIP approach, using MCAC algorithm
Performance Enhancement of VNSIP approach, using MCAC algorithmijcncs
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET Journal
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 

More Related Content

What's hot

Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...ijcncs
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slidesharePeter HJ van Eijk
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...ijcncs
 
Performance Enhancement of VNSIP approach, using MCAC algorithm
Performance Enhancement of VNSIP approach, using MCAC algorithmPerformance Enhancement of VNSIP approach, using MCAC algorithm
Performance Enhancement of VNSIP approach, using MCAC algorithmijcncs
 

What's hot (20)

Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016
 
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Fram...
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
Ohm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshareOhm2013 cloud security 101 slideshare
Ohm2013 cloud security 101 slideshare
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
 
Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417
 
CC_ SECURITY ISSUES by a_khoshnoudi @IUST
CC_ SECURITY ISSUES by a_khoshnoudi @IUST CC_ SECURITY ISSUES by a_khoshnoudi @IUST
CC_ SECURITY ISSUES by a_khoshnoudi @IUST
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
Performance Enhancement of VNSIP approach, using MCAC algorithm
Performance Enhancement of VNSIP approach, using MCAC algorithmPerformance Enhancement of VNSIP approach, using MCAC algorithm
Performance Enhancement of VNSIP approach, using MCAC algorithm
 

Similar to 2_24551_Virtualization_SC_0113

IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET Journal
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
SDN architecture for Scalable Resource Management for Big Data Governance in ...
SDN architecture for Scalable Resource Management for Big Data Governance in ...SDN architecture for Scalable Resource Management for Big Data Governance in ...
SDN architecture for Scalable Resource Management for Big Data Governance in ...IRJET Journal
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfsarah david
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
PCI DSS & Virtualization
PCI DSS & Virtualization PCI DSS & Virtualization
PCI DSS & VirtualizationTobyRobinson13
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkIOSR Journals
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --SymantecAbhishek Sood
 
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptxchelsi33
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfSahilSingh316535
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIOSR Journals
 

Similar to 2_24551_Virtualization_SC_0113 (20)

IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital Forensic
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
SDN architecture for Scalable Resource Management for Big Data Governance in ...
SDN architecture for Scalable Resource Management for Big Data Governance in ...SDN architecture for Scalable Resource Management for Big Data Governance in ...
SDN architecture for Scalable Resource Management for Big Data Governance in ...
 
cloud1_aggy.pdf
cloud1_aggy.pdfcloud1_aggy.pdf
cloud1_aggy.pdf
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
PCI DSS & Virtualization
PCI DSS & Virtualization PCI DSS & Virtualization
PCI DSS & Virtualization
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
 
3822424.ppt
3822424.ppt3822424.ppt
3822424.ppt
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
 
Managing The Virtualized Enterprise New Technology, New Challenges
Managing The Virtualized Enterprise New Technology, New ChallengesManaging The Virtualized Enterprise New Technology, New Challenges
Managing The Virtualized Enterprise New Technology, New Challenges
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptx
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 

More from Jim Romeo

Jim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs beJim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs beJim Romeo
 
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-TechJim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-TechJim Romeo
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715Jim Romeo
 
IN-N-OUT BURGER
IN-N-OUT BURGERIN-N-OUT BURGER
IN-N-OUT BURGERJim Romeo
 
Chemical Industry in China
Chemical Industry in ChinaChemical Industry in China
Chemical Industry in ChinaJim Romeo
 
Automotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working IIAutomotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working IIJim Romeo
 
Counterculture Linux Article
Counterculture Linux ArticleCounterculture Linux Article
Counterculture Linux ArticleJim Romeo
 
Maritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgoMaritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgoJim Romeo
 
Maritime Executive_HMorrison
Maritime Executive_HMorrisonMaritime Executive_HMorrison
Maritime Executive_HMorrisonJim Romeo
 
Cistera Networks Q and A
Cistera Networks Q and ACistera Networks Q and A
Cistera Networks Q and AJim Romeo
 
FUEL-cleanEnergy
FUEL-cleanEnergyFUEL-cleanEnergy
FUEL-cleanEnergyJim Romeo
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 
Dell_whitepaper[1]
Dell_whitepaper[1]Dell_whitepaper[1]
Dell_whitepaper[1]Jim Romeo
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715Jim Romeo
 

More from Jim Romeo (16)

Jim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs beJim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs be
 
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-TechJim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIO
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
 
IN-N-OUT BURGER
IN-N-OUT BURGERIN-N-OUT BURGER
IN-N-OUT BURGER
 
Chemical Industry in China
Chemical Industry in ChinaChemical Industry in China
Chemical Industry in China
 
Automotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working IIAutomotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working II
 
Counterculture Linux Article
Counterculture Linux ArticleCounterculture Linux Article
Counterculture Linux Article
 
Maritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgoMaritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgo
 
Maritime Executive_HMorrison
Maritime Executive_HMorrisonMaritime Executive_HMorrison
Maritime Executive_HMorrison
 
Cistera Networks Q and A
Cistera Networks Q and ACistera Networks Q and A
Cistera Networks Q and A
 
FUEL-cleanEnergy
FUEL-cleanEnergyFUEL-cleanEnergy
FUEL-cleanEnergy
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIO
 
Dell_whitepaper[1]
Dell_whitepaper[1]Dell_whitepaper[1]
Dell_whitepaper[1]
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
 

2_24551_Virtualization_SC_0113

  • 1. Sponsored by Virtualization Organizations considering virtualized platforms will have to examine their impact on overall security policy.
  • 2. Moving to a virtualized implementation involves maintaining a culture of security diligence, reports Jim Romeo. W hen the City Council of Athens, Ala. convened in early 2013, Dale Hay- mon, the city’s director of informa- tion technology, delivered a presentation focused on how the municipality could save about $49,000 on energy and electricity costs, and facilitate its many IT processes by struc- turing servers and clients with virtualization. Although the promise of reduced costs has appealed to many in similar situations, security experts warn that a move to virtu- alization must not trump careful contempla- tion and scrutiny by today’s CIOs and IT leadership. Such a thorough examination must take into account the impact that virtualization will have on an organization’s overall security policy, the risk it imposes, how to mitigate such risk, how to implement access controls, and what best practices an organization can or should implement in its present IT environment. The risk of a virtualized environment begins with an awareness of the IT architec- ture, and the associated configuration and hardware that enable it. The largest risk for virtualization is having multiple operating systems and applications on a single host, says Brandon Meyer, an engagement man- ager with SWC Technology Partners, an IT consultancy based in Chicago. “In the event of a host failure, you are losing multiple ap- plications at once instead of a single one,” he says. “This is becoming a larger risk with better hardware that allows you to put more and more applications on a single host. It is not unheard of to have 30 to 40 or even 50 instances of virtual machines running on a single piece of hardware.” When evaluating that risk, one needs to look at the applications in use and deter- mine what the effects are if that host were to fail. For instance, he says, when one has a three-tier application, it doesn’t make sense to spread those tiers across multiple hosts. If one were to lose a tier, then access is lost to the entire application. “In this scenario, you want to set up rules within your virtualiza- tion hypervisor to keep all instances of that application on the same host,” Meyer says. “This way you have reduced the number of applications that will be down by 33 per- cent.” Users also need to evaluate that when load-balanced systems are in place, such as web front-ends, they are not all on the same host. When an implementation has multiple instances of a load-balanced application, administrators need to keep those instances off of a single host and make sure they are split across multiple hosts and storage arrays if possible, he says. With a single host, there are many virtual machines (VMs) that will be affected when security is breached. Specifically, the big- ger problem in a virtual environment is the far-reaching impact on the VMs associated with a single point of attack. “A compromise of the virtualization layer could result in the compromise of all hosted VM workloads,” says Gary Loveland, a principal and leader of PwC’s global security practice in Irvine, Ca- lif. “If the hypervisor is attacked, the hacker could have access to all data that flows across it, and could get into all of the VMs. On a typical hypervisor setup, workloads and dif- ferent VMs can be consolidated on the same physical server. That is becoming increasingly common for cost and power efficiency.” For example, he says, a physical server might be hosting a VM with a database that is sensitive content, and another VM might be hosting the front-end of the application. This can create challenges for compliance. The hypervisor requires patching, in which case all VMs would have to be brought down. So it’s not a single server that is at risk, but all the images along the chain. This all adds to the challenge in developing and implementing security policy designed to safeguard against intrusions. Security 2 Virtualization 80% of federal information technology leaders say their agencies have implemented some manner of server virtu- alization. – 2012 MeriTalk survey www.scmagazine.com | © 2013 Haymarket Media, Inc.
  • 3. monitoring must take into account all of the virtual networks that exist. Loveland says the lack of visibility and controls on internal virtual networks can blind already existing security policy enforcement mechanisms. “Virtual servers are generally not monitored in the same way that physical servers are, and when VMs can communicate, it can create an invisible network,” he says. “You need all of the same controls – firewalls, sniffers, etc. – that would be used on a physical server inside the virtual network to monitor effectively.” As well, there is a potential loss of sepa- ration of duties for network and security controls. “When physical servers are col- lapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels,” he says. “Another area of concern is which group configures and supports the internal virtual switch.” Risk mitigation: Manage, validate and control For an IT manager, virtualization demands prompt mitigation in response to an inci- dent, and this is always a challenge for IT leadership. In fact, it is an ever-changing skill set and business practice that must adapt as security threats change and find their way into network infrastructure. For virtualized environments, risk mitigation begins with sound security policies anchored in a good understanding by all security team members within the enterprise. Loveland says VMS should be held to the same standards as physical machines, as they require the same separation and security controls. “Organizations should extend their policies, practices and technologies to man- age, validate and control the virtual infra- structure,” he says. “Monitoring and protect- ing each layer in the configuration is crucial to reducing the threat surface.” Additionally, virtualization security must begin with the security team and operations team working in tandem to develop a mutu- al understanding of the virtual platform, he says. Together, these groups should develop a common set of processes and strategies that become the guidelines for virtual data center functioning. And the transition does not have to be difficult. CIOs can embrace certain security models to strengthen their virtualization 3 20% savings within the federal government in its IT budget through virtualization – 2012 MeriTalk survey Virtualization Securing a virtual environment: Five major requirements Limit who can design, create and implement virtual environments. Do not allow1. departments, organizations or partners to develop even test virtual environment without IT involvement. Require standards, such as policies, systems and applications images, access controls,2. patch management, data security configurations, naming and addressing conventions. Require physical segmentation for security requirements.3. Require physical separation of data across multiple clients, as well as personally4. identifiable information (PII) sets. Purchase special tools and applications to monitor systems and applications5. communications, which occurs between virtual devices. – John Irvine, CIO of Prescient Solutions, provided five tips for defending virtualized environments. www.scmagazine.com | © 2013 Haymarket Media, Inc.
  • 4. 4 $5B in savings annually by 2015 from the govern- ment’s transitioning to server virtualization and cloud computing storage. – 2012 MeriTalk survey security, says Stan Yarbrough, a consultant with Datalink, based in Minneapolis. “Mov- ing from physical to virtualized security is viable and easy,” he says. And, aligning the security management functions within the or- ganization to embrace newer security models can significantly reduce costs, he says. “Using security models that consider virtualized technology and data protection can acceler- ate the move to cloud technologies. Physical security models greatly limit the capability to create scalable infrastructure.” Yarbrough adds that virtualization allows servers to become easily mobile among data centers and can be distributed as needed based on workload requirements and secu- rity requirements. “A software development organization can ensure that new develop- ment take place in highly secure private data centers, and, once released, can be moved to other data centers for deployment or access by customers,” he says. “Virtualization can allow internal servers and DMZ servers to share the same system resources with a very high level of security controls, including intrusion prevention and firewalling. It is possible to build highly scalable, multi-ten- ancy environments with less cost and greater operational controls.” Access, control and permissions Access, control and permissions play impor- tant roles in achieving solid virtualization security. This process begins with skill in managing the resources that will be servic- ing and maintaining the VMs. PwC’s Love- land says organizations should implement role-based access control for administrative capabilities to limit user access and to moni- tor the number of VMs in the organization. This also provides a process for patching and maintenance schedules. “Risks are mostly the same as non-VM implementations with respect to the logical system-level related issues, but additional considerations are required for VM admin setup and processes related to security and operational access,” says Alon Israely, a licensed attorney and certified information systems security professional, who leads the strategic partnerships for New York-based BIA (Business Intelligence Associates), a firm he co-founded. “These additional consider- ations include, for example, access to shut down or initiation of a virtualized system, access to and management of licenses (OS or app licenses), underlying infrastructure access and control, and IT and HR policies.” The administrative process of authorizing and documenting roles and permissions is an important part of security management in a virtualized environment. “Authorization and proper documentation of changes to any of the roles and permissions for administrators can have a detrimental impact on the risk of virtual machine infrastructures,” says Steve Barone, the founder and CEO of Creative Breakthroughs, a Troy, Mich.-based IT ad- visory services firm. “Controller access to the VMs via proper lockdown of the privi- leges should be maintained at all times, and controlled access to the virtual environments should be ensured to reduce code exploitation through malicious software attacks.” As virtualization becomes more common, its security will continue to challenge IT lead- ership. However, there are many management actions and steps that can be taken to bolster data protection and improve the utility of virtualized servers. CIOs and IT managers should approach security management by viewing and evaluating, from a systematic viewpoint, the virtual environment they are controlling. “With any virtualization initia- tive, it is essential to define an evaluation framework to enable a systematic, structured Virtualization www.scmagazine.com | © 2013 Haymarket Media, Inc. Moving from physical to virtualized security is viable and easy.” – Stan Yarbrough, consultant, Datalink
  • 5. 5 37%of the federal IT work- load today is done on virtualized servers – 2012 MeriTalk survey and thorough systems view,” says Loveland. “Extend your existing security solutions to cover the virtualized environments and have an independent layer handle the virtual environment’s security, on top of OS security, network security and application security.” Firewalls and scans, he adds, should be de- ployed and conducted on a separate layer that cannot be reached by the OS. “Continually monitor the virtual network and implement the same security standards used on physical machines,” he says. As well, it is important to build an overall security strategy with accompanying archi- tecture to implement it. “We strongly recom- mend that you should have an overall securi- ty strategy and architecture,” Loveland says. “Addressing security for a specific technology or component is not a good approach. Secu- rity needs to be addressed proactively, before new technology is introduced.” As the virtualization of private data centers expands and matures, cloud computing – es- pecially the public cloud – will drive security, says Shaun Donaldson, director of alliances at Bitdefender, a Bucharest, Romania-based anti-virus vendor. “Public cloud adoption is accelerating, and private cloud is a future that virtualization vendors wish upon all of their customers,” he says. “Organizations today are concerned less with asking whether or not they will virtualize or use public cloud, but rather: How do we do it?” The acceptance of in-house cloud, public cloud, and hybrids of the two, will continue to accelerate,” he adds. Also, the future of security involves planning for the data center, rather than safeguards being bolted on after the fact. “Security practitioners would be well served by anticipating data center trends, Donaldson says. “Security cannot be the missing link. In the next three to five years, security must be architected to operate on multiple hypervisors, interact with different management and orchestration platforms and, above all, take advantage of the oppor- tunities that hypervisors provide.” Virtualization security: A CIO’s perspective Jerry Irvine is CIO of Prescient Solutions, an IT consultancy based in Chicago. He provides strategic direction on all IT matters to his firm’s client companies, as well as to Prescient. We spoke with him to understand his views on virtualization security in today’s IT landscape: SC: Can you tell us about your experience with virtualization and virtualization secu- rity projects? What sort of challenges have your clients brought to you in this topic? Jerry Irvine: While security is always a major concern, it becomes even more challenging when supporting environments designed to house multiple concurrent clients – accessing disparate applications – via the same physical server, data storage solution and communica- tions link. Legacy security solutions began with the principle of physical segmentation. Since the advent of shared services – application service providers, software-as-a-service, and now the cloud – security can no longer be maintained via the separation or segmentation of physi- cal perimeters. Security must now be enabled throughout the system environment – from the development of access controls, operat- ing systems and applications, as well as some form of physical security. Nevertheless, as a result of virtualization, the focus of IT secu- rity has shifted from device- and perimeter- based security to data security. SC: Can you cite some examples of the dangers of intrusion and breaches in a virtualization setting? JI: Many intrusions and breaches can continue to be traced back to the lack of definition and implementation of standards, policies and procedures, even in a virtual environment. After implementation of virtual servers and systems, many companies begin “over-virtualizing.” Creating separate appli- cation and systems environments in multiple virtual systems is commonplace, even when Virtualization www.scmagazine.com | © 2013 Haymarket Media, Inc.
  • 6. the development of another virtual server is not justified. This “over-virtualization” cre- ates even greater complexity, making com- plete systems documentation more time-con- suming, difficult and improbable. As a result, standard management and update procedures are not put into place for all systems. This ultimately leads toward server infestation with malicious applications, causing loss or corruption of data, systems outages and com- plete remote control of systems from external malicious entities. Additionally, lack of train- ing in virtual systems is most likely the larg- est cause for malicious access and actions. SC: What are some of the greatest miscon- ceptions about virtualization security from your perspective? JI: The most common misconception of virtualization is that individual virtual devices within a common physical environ- ment are segmented and secure from the other applications and communications occurring on those other virtual devices. Similar to the misconception that physical segmentation of servers on common net- works is secured from the applications and communications occurring on those other physical servers. This is never true. Com- munications between virtual servers and/ or their applications can traverse across the physical backplane as easily as communica- tions can occur between physical devices connected on common network backplanes. SC: Are there particular configurations that CIOs can implement to strengthen their vir- tualization security? JI: It is important to understand application access requirements and classify them based on needs of both the systems and data. Just like DMZ segmentation of network infra- structure, devices should be implemented with separate physical devices, and applica- tions requiring only internal access ideally should be separated, both virtually and physically, from publically accessible systems. Merely segmenting internal and external applications virtually – without physical segmentation – could allow malicious ap- plications to traverse the virtual backplane, corrupting or losing data and causing systems outages or providing complete control of the internal systems. For more information about ebooks from SC Magazine, please contact Illena Arm- strong, VP, editorial, at illena.armstrong@ haymarketmedia.com. 6 64% of state-and-local respondents say server virtualization takes priority over desktop virtualization. – 2012 MeriTalk survey Virtualization www.scmagazine.com | © 2013 Haymarket Media, Inc. It is important to understand application access requirements and classify them based on needs...” – Jerry Irvine, CIO, Prescient Solutions
  • 7. 7 Sponsors Masthead F5 is the leader in ADC technologies. F5 security solutions provides data center firewall services, simplifies and unifies access control, secures and accelerates remote access, and protects email—all while enhancing network and application performance. Leading organization trust F5 for the tailored security they need, and the reliable, flexible access their users demand. For more information, visit www.f5.com www.scmagazine.com | © 2013 Haymarket Media, Inc. Bitdefender’s Security for Virtualized Environments (SVE) eliminates the traditional requirement of installing full antivirus clients on all virtual machine. Bitdefender provides a virtual appliance which reduces costs while maximizing consolidation ratios in Windows, Linux, and Solaris environments. Bitdefender SVE provides integrated protection for VMware, Citrix Xen, Microsoft Hyper-V and more. For more information, visit http://enterprise.bitdefender.com
  • 8. Virtualization Security will never be the same Try the most advanced security for VMware on the market Our centralized antivirus appliance integrates with vShield 5, Citrix XenServer and Microsoft Hyper-V to maximize consolidation ratios while providing maximized protection for Windows, Linux and Solaris environments. Try it NOW! Click Here To
  • 9. Find out with a free security scan from F5. F5 and Cenzic Cenzic provides application security to continuously assess cloud, mobile, and web vulnerabilities, helping organizations of all sizes protect their reputations. Cenzic solutions are used in all stages of the software development lifecycle, but most importantly in production, to protect against new threats for the life of the application. Quick, flexible solution: Available as a cloud-based subscription with self- or managed-service options— with nothing to install. Consolidated management: Tight API integration with F5 lets you assess and block vulnerabilities directly from the BIG-IP ASM GUI. Immediate, accurate results: Cenzic security produces automated, near-instantaneous results with minimum false positives. Clear, efficient reporting: Web-based dashboards and a prioritized vulnerabilities list with risk score provide easy insight into your security environment. For more information about Cenzic, visit cenzic.com. F5 and WhiteHat Security WhiteHat Security provides website risk management solutions that protect data, ensure compliance, and narrow the window of risk. The WhiteHat Sentinel product family is a website vulnerability management solution that delivers the visibility, flexibility, and control you need to prevent attacks. Continuous protection and support: Ongoing testing keeps up with website changes, and vulnerabilities are verified by WhiteHat’s Threat Research Center (TRC) team who helps you understand and remediate vulnerabilities. Accurate results: The TRC verifies vulnerabilities to ensure accuracy, enable BIG-IP ASM to act immediately on findings—and save you time and resources. Comprehensive coverage: Scanning automation plus TRC expertise and management provides high scalability and transparency. Production-safe methodology: Production-safe testing allows you to assess your site continuously without interfering with customer or business partner processes. For more information about WhiteHat Security, visit whitehatsec.com. Take advantage of F5’s joint solutions with Cenzic and WhiteHat Security to find application vulnerabilities and patch them immediately. Schedule a free scan with your choice of Cenzic or WhiteHat Sentinel software to see how you can reap the benefits. Improve enterprise security with Dynamic Application Security Testing. Quickly mitigate risks via integration with F5® BIG-IP® Application Security Manager™ (ASM). Reduce your organization’s risk exposure with an easy and cost-effective combined solution. Protect your apps from the OWASP Top Ten vulnerabilities while achieving compliance. Visit interact.f5.com/freescan.html to assess your apps today. ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS00-00083 0113