Information security breaches are in the news a lot these days, but for many companies security doesn’t get the attention it deserves, until something bad happens. Let’s face it, implementing better security in a data center is a pain in the ass and inconveniences everyone from administrators to end users. Better security doesn’t make anyone’s job easier and as a result everyone tends to be resistant to it. But the reality is that unless you want to end up in the newspaper headlines you have to do it, and not just make a half-ass effort at it, you need to do it right and you also need to stay vigilant at it. Security isn’t something you do once and you’re done, it’s an ongoing job that requires discipline, time and effort to do.
Implementing virtualization makes security a more difficult job, not only do you have to secure the physical side of your data center but you also have to secure the virtual side. In a traditional non-virtualized environment implementing security was much simpler, adding virtualization to the mix makes it much more difficult and complicated as there are many more attack vectors that you need to protect. You would probably notice someone carrying a physical server out of your data center, but in a virtual environment whole servers can leave your data center in someones pocket, without them even entering your data center.
I did an article a while back for Tech Target, “How To Steal a VM in 3 Easy Steps” that described a simple scenario on how someone could make copy a VM and carry it home with them on a flash drive. From there they could easily power it on in their own environment and access the OS, applications and data on it. To prevent this you need to start by following security best practices for virtualization and make sure you understand where the weak points are in your virtual environment and secure them properly.
The ESXi hypervisor has good built-in security but it’s easy to change settings to make administration easier that results in weakening it and opening up attack points into your virtual environment. VMware has just updated their Security of the vSphere Hypervisor white paper which provides a good overview of the security things that you need to know in vSphere, definitely give this a read. There are also a number of very good 3rd party virtualization security products from vendors like Catbird and HyTrust that can help provide an additional layer of security and monitoring to improve the security of your virtual environment. Also check out some of the security resources below:
- Security of the VMware vSphere Hypervisor – Good high-level overview of how ESXi security architecture and controls address common concerns in the security community regarding virtualization
- VMware Security Hardening Guides – Step by step guides specific to each vSphere version that provide prescriptive guidance for customers on how to deploy and operate VMware products in a secure manner
- vSphere 5.5 Security – Official documentation from VMware for vSphere 5.5 that covers securing all areas of a vSphere environment
- Security Compliance in a Virtual World – RSA Security Brief with contributing authors from VMware (Stephen Herrod/Charu Chaubal) that covers the challenges of security compliance in virtual environments
- Virtualization Security and Best Practices – PowerPoint presentation from Rob Randall at VMware, it’s a bit old but the concepts still apply today
- PCI DSS Virtualization Guidelines – Provides supplemental security guidance on the use of virtualization technologies in cardholder data environments
- VMware Solution Guide for Payment Card Industry (PCI) – VMware specific security guidelines to address PCI Compliance standards
- Verizon Enterprise 2013 Data Breach Report – Great report that shows where and how most corporate data breaches occur and what types of victims are typically targeted
- Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground – Great book into the mindset and methods of cyber-criminals