Blog

Virtualization? Why Not!

May. 17, 2010
by Heath
0 Comments

virtualize

Well, I'll tell you. Let me start by saying I do think the overall benefits of Virtualization heavily outweigh the risks.
Since I don't want this to be a doom and gloom blog, I'll start with the positives of Virtualization.

  • Less hardware costs for servers and maintenance, but routers and switches too with VLANing.
  • Saving valuable physical space in server rooms.
  • Going green with energy consumption and generator/battery backups.
  • Normalizing platforms across multiple systems.
  • Agility in an environment. Imagine if you had a server crash, you can just boot up a Virtual Machine and like that you are good to go!
  • Saving money in licensing. I'm not an expert at all on licensing, but I know vendors have laxed on licensing because they are real sure how to manage it with virtualization.

Now, I'll focus more on the potential risks of Virtualization because they aren't discussed as much as the benefits, and we are security people...it's what we do!

  • Currently there are no definite standards yet, especially from the FFIEC, but we haven't even gotten any standards to audit to from PCI or DISA. There are some some best practices docs from DISA in their Virtualization STIG (search Virtualization on DISA's website) and VMWare's best practices (Google: VMWare Best Practices)
  • In virtualization transparency is reduced so it is hard to find where applications are running at a specific time. In other words, visibility within an environment is blurred.
  • Applications must be secure within themselves. What I mean is that any piece of hardware that is compromised, and data on that server can be compromised as well. So if your football bowl picks.xls is compromised and it is on the same server as customer data, you may be S.O.L.
  • Virtual Machine Managers have extreme access to the network like never before. Consider segregations of duties for different IT staff managing network and core servers on separate VM installs.
  • VM migrations present risk because data may be changed during the migration. Consider encrypting channels, heavily restricing access to who can migrate VM's, or isolate LAN's from each other.
  • With virtual security appliances Real Time Monitoring needs to always have dedicated resources. Or else Anti-Virus or internal Intrusion Detections may not be getting the resources to operate in real time.
  • Cloud Computing is a risk in itself. I do believe there is risk in cloud computing. I don't believe it is dire as CNET, but this is a good article.
  • Currently there are multiple CVE's associated with virtualization and may be mitigated. Just be sure your internal vulnerability scans check for virtualization risks.

Don't let this scare you away! I'm excited about the potential of virtualization and the $$$ savings are hard to argue with. Good Luck Virtualizing and don't forget about our upcoming June 4th webinar on Virtualization and the Compliance Around it!

Recent Posts

feature image
BSA/AML Whistleblower Provisions
Dec. 16, 2021
feature image
Multi-Factor Authentication
Dec. 9, 2021
feature image
Customer Service with S.P.E.E.D
Nov. 4, 2021

Posts by Tag