Virtualisation – The Opening of Pandora's Box Best Practices for Mitigating Compliance Risks in Virtualised Environments

By Andrew Heather | Feb 25, 2010 | Print this Page
http://www.enterprisenetworkingplanet.com/datacenter/datacenter-blog/virtualisation-opening-pandora-box-best-practices-mitigating-compliance-risks-virtualise

There's no doubt that virtualisation has gained a firm foothold in many IT organisations with its ability to deliver more computing power for less money. The cost and technical benefits of virtualisation have created an internal frenzy to move more systems to a virtual environment.  In fact, VMware has reported that 85 percent of its customers are using virtualisation for mission-critical production services. But as businesses rush to virtualise their data centres, many have neglected to clearly understand the compliance and security risks that a virtualised environment presents. Proactive risk management helps companies realise the true return on investment for their virtualisation projects insists Gene Kim, chief technology officer, Tripwire. 

 

One of the clear benefits of virtual machines is their ease of deployment and the ability to quickly add and remove them from the IT infrastructure. However, without the proper infrastructure to manage what machines are coming and going, if they've been configured properly and what changes have been made, companies are introducing new security risks and compliance challenges into their businesses. And while there are many tools available for assessing server configurations in the physical world, the truth is, those tools aren't suited for virtual environments. So how can companies detect unauthorised, non-compliant changes to VMs? How can administrators be alerted to virtual sprawl issues such as when a machine is added or deleted and if it meets the integrity test? What can be done to ensure complete visibility from a single point of control?

There are several best practices that can be employed to mitigate the compliance and security risks associated with virtualised environments, and help companies truly realise the return on investment they expect from their virtualisation deployments.

Taking Stock

You can't control what you can't see. Determining what machines are live, which are in-production or pre-production, which are dormant and what services they are running is the first step in mitigating compliance risks in virtual environments. Take stock of what technologies are being used (VMware, Cirtix, XenServer, etc.) and the relevant regulatory compliance issues related to the business processes enabled by virtualisation. By having a more detailed picture of the entire virtual landscape, companies put themselves in a much better position to take control.

Implementing Preventive Controls

As with any IT infrastructure, physical or virtual, the more people have access, the more potential there is for uncontrolled changes to critical systems. By reducing the number of people who are able to access and make changes to a machine, to only those that require access, is another step in the right direction. By monitoring VMM user account adds, removes and changes and reconciling those accounts with an authorised change order form from the virtualisation manager, IT will gain a new level of visibility and control.  

Creating and Maintaining Standards

A large portion of today's security and compliance issues in IT can be addressed by creating and enforcing preventive controls. Specifically this best practice requires that all VMM configuration settings are properly defined, implemented and verified. To help make this truly operational, it is important to work with IT on defining which virtualisation security standards should be used and then mandate that all systems use the same secure configuration settings. As part of this process, IT and virtual managers should insist that all non-compliant configurations are remediated within a certain amount of time. From there, detective controls must be put in place to assess and continuously monitor VMM configuration settings to ensure all VMs are in a “trusted state”.

Enforcing Standards

So once the policies are set, how can an IT department enforce the policies set forth for configuration and security changes? The answer is simple - certainly not without support from upper management.  It is imperative to obtain upper management buy-in and communicate the consequences from the top, down. Leveraging technology that assesses configuration settings against internal and external standards can help determine whether the change was authorised and conforms to the standards, while providing forensics data to support an investigation in the event of a breach.

Prepare for the Worst

When looking at today's stringent compliance regulations, it is important to prepare for the worst – an audit. A best practice to ensuring full preparation for an audit entails keeping all evidence including change requests, approvals, detected changes, reconciliations of detected changes and approved change requests. It is important to note that the evidence required is not limited to machines that are live during the audit phase. IT must be able to show a complete audit trail for all VMs in scope at any given point in time. This means that machines that have been removed from the network are still part of the audit process and would require the same evidence trail. This proves to auditors that effective change and configuration management controls exist for all machines throughout a certain period of time.

Summary

Virtualisation has proven its ability to deliver exceptional benefits, but it has also opened up a Pandora's Box for IT by introducing a plethora of new challenges and risks. If not taken seriously, the issue of mismanagement in virtual environments can undermine all of virtualisation's benefits. By creating a level of transparency and control, businesses will be in a better position to reap the rewards that virtualisation has promised. Without implementing best practices today, the challenges and risks posed by this incredible technology will continue to mount.

Tripwire are exhibiting at Infosecurity Europe is the No. 1 industry event in Europe held on 27th – 29th April at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

www.infosec.co.uk