Over the past few years many organizations have opted for virtual IT environments.
A 2016 survey by Spiceworks reports that 76% of respondents have adopted server virtualization, and Gartner estimates that server virtualization rates in many organizations already exceed 75%.
The reasons behind such strong adoption of virtualization is easy to understand: virtual environments are easy to deploy, improve IT efficiency, provide better business continuity, and — most importantly — reduce costs.
Unfortunately, without appropriate security measures, these benefits can be reversed.
For example a 2015 global survey by Kaspersky Labs reveals that businesses pay twice as much to recover from a security breach if virtualized infrastructures are involved.
The report – which cites costs of $60,000 per incident for SMBs and $800,000 for enterprises – attributes factors such as the complexity of securing virtualized environments, a failure to properly understand the risks and an increasing reliance on virtualization for mission-critical operations as underlying reasons why the costs are so high.
Clearly, it only takes one security breach for there to be severe consequences. It is possible to substantially reduce this from happening by implementing the following steps:
#1: Securing virtual environments should be no different to physical ones
Protection for virtual environments requires as much care as physical ones. According to Kaspersky Labs, 42% of respondents still think that virtual environments are safer than physical ones. But this is a mistake. A determined attacker will always find a way in. Don’t wait for a breach; make the security of your virtual machines a priority.
#2: Understand the specific risks to virtual environments
Virtual environments have their own, very different vulnerabilities to physical ones. For example, they have a larger attack surface. This is because components within a virtual infrastructure are often inter-connected. Any unauthorized or malicious action has the potential to affect all virtual machines sharing the same host, magnifying its effect. Moreover, there is the risk that virtual machines may be misconfigured or copied and misused. Both can seriously impact critical business activity.
#3: Don’t leave your virtual environment in a blind spot
System administrators need to have insight into the entire IT infrastructure, virtual as well as physical. Both should have regular IT audits that proactively look for any suspicious activities. IT departments need ready answers to questions such as:
- Who created each virtual machine?
- Who reconfigured or disabled a particular virtual machine?
- Who changed resource pool parameters?
All unauthorised changes need to be spotted and investigated immediately – even an innocent mistake can lead to a security incident.
Following these steps leads to more secure virtual environments. Enrique Martinez, Information Security Coordinator of Banco Bandes Uruguay, explains how complete visibility into user activity across their VMware implementation helped the bank establish proper security controls in its virtual environment. “With the virtual environment, manual auditing is completely impossible. When a virtual server can be created in 15 seconds, there is a strong possibility of not knowing how many servers there are and what happens to them,” he said.
To conclude, virtualization technology continues to mature in both performance and reliability.
But it’s important to establish effective security practices and gain complete visibility into user activity across the entire IT infrastructure before committing critical data to a virtual environment.
Unless you have the ability to detect mistakes or malicious changes in both physical and virtual infrastructures there is a serious risk of system downtime and or security breach.
Awareness of virtualization-related risks is improving all the time, but so too is the number of attacks on virtual infrastructures. For virtualization to be a successful strategy organizations know they need access to tools that provide advanced visibility across hybrid infrastructures.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.