Virtual Machine Security: There's More To It Than Meets the Eye
IT pros often face security challenges that can quickly derail the success of any virtualization product.With virtualization technology exploding in the enterprise and Virtual Desktop Infrastructures (VDI) on the upswing, IT pros are faced with growing security challenges that can quickly derail the success of any virtualization product, while also exposing corporate data to security threats.
Security is anything but an alien concept to today’s IT pro. However, as technology evolves and changes, so does the need for security. Case in point is the burgeoning VDI market, where virtual desktops are quickly becoming the heir apparent to traditional desktop PCs. Here, a new technology paradigm is entering the enterprise, where what was once a straight forward, protectable element is now being replaced with something less static – a virtual PC.
Most administrators are assuming that the same rules (and technologies) apply to a virtual machine that also apply to a physical PC, at least as far as security is concerned, an assumption that is being proven wrong on a daily basis. Virtual PCs change the security game, simply because of their inherent natures, driven by key elements, such as portability (easily copied VHD files) and the use of a hypervisor, which effectively isolates the virtual PC from the host hardware.
That means new security ideologies, especially those that focus on management, validation and auditing must be introduced into the equation, something that is much easier said than done. Luckily, once the inherent security weaknesses and vulnerabilities of virtual PCs are better understood, security becomes actionable and IT pros can implement best practices and security technologies that promise to mitigate vulnerabilities, while providing verifiable security across VDI.
The most important step for securing a virtual infrastructure is to ascertain where virtual machines are located (on site, remote, what server, etc.) and how you can keep an accurate inventory of those machines. This is perhaps one of the biggest challenges, simply because virtual machines can be copied, automatically deployed, migrated and stored remotely.
Unfortunately, many organizations rely on manually updated spreadsheets, or very simple tools that are bundled with VDI solutions to maintain an inventory. However, those methods are manually maintained and are open to misinformation or quickly become outdated, thanks to the dynamic nature of virtual environments.
When it comes to security, it is critical to know what has to be protected and where that resource is located. What’s more, frequent audits are a must and keeping anti-malware technologies up to date are the only way to protect those virtual assets.
That all adds up to building a strategy that leverages security suites to protect VDI from intrusion, misuse and compromise. Luckily, several products are readily available, which can provide the foundation for creating a secure virtual environment, while also reducing the burden on the IT pro. Nevertheless, selecting the appropriate product requires vetting the features and capabilities that are needed to ensure protection. Primary capabilities should include:
- Centralized management: A security suite used for VDI purposes should include a central management console that gives a single pane of glass view of the status of each managed system.
- Automated Discovery: The suite should be able to automatically discover all virtual machines on the network, either during first use, provisioning or connection to the network.
- Automated Deployment: The security product should auto deploy clients/security software to any virtual machine connected.
- Automated updating: The product should automatically update signature files and other anti-malware technologies on systems.
- Policy Definition: Administrators should be able to define policies that enforce security requirements and are automatically applied to the virtual systems on the network.
Using the above guidelines helps to separate the wheat from the chaff, with the chaff being products that lack all of the necessary features to effectively protect VDI. That said, there are still some basic decisions that still have to be made. The first decision comes down to the type of security suite deployment, should you use an appliance based solution or a software based solution.
Each has its own pros and cons. For example, a security appliance off loads security processing from the main servers and can be easily deployed at the edge of the network to protect both internal and external virtual machines. What’s more, appliances are normally a plug-and-play solution, which require little integration with existing systems. On the other hand, software based solutions can usually be integrated at a deeper level and function hand in hand with primary virtualization servers and often can provide more options to the administrator.
Examples of appliance based solutions include those from Cisco, Check Point, Juniper, McAfee and Fortinet. Those vendors offer appliances that range in size from SMB to Enterprise level solutions. Software suites can be found from vendors such as Symantec, TrendMicro, Kaspersky, Panda, and TotalDefense (Formerly CA). Each of those vendors offer network based, centralized solutions that include management and auditing features.
Frank J. OhlhorstFrank J. Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology market. He has written articles for a variety of technology and business publications, and he worked previously as executive technology editor at eWeek and director of the CRN Test Center.
See here for all of Frank's Tom's IT Pro articles.
(Shutterstock cover image credit: Hand Touch)
Check Out These IT Videos