/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsSecurity has often been considered as the last focus item of any Information Technology (IT) Platform.
The same theory is applicable to virtualization as it is an emerging IT platform. The idea of virtualization is not new; however, it is gaining traction as an increasing number of organisations implement it. Directly derived benefits such as cost savings on IT infrastructure, hardware consolidation, enhanced resiliency, expedited IT deployments etc are leading to increased adoption of virtualization.
However, organizations continue to have apprehensions on how and where to position security in a virtualized environment? If you look closely, security issues in a virtualized environment surface quite aggressively, if required visibility is not established on the virtual layer in time. While organizations acknowledge that moving on to virtual platform helps trap external and internal threats, they are challenged because virtualized environment warrants elevated physical and logical access to storage and network servers making them less secure. Certainly, a virtualized environment helps to keep a check on certain malicious activities such as who is trying to gain access surreptitiously, stealing data, causing disruptions etc and disallows them swiftly.
IT leaders often question what security tradeoffs are relevant to virtualization. Traditionally, it was believed that the security issues are restricted only to a specific layer, which is virtualized such as servers, network, storage etc. But this myth is now broken and organizations are realizing that security issues are not confined to one layer of the IT architecture.
Other IT architecture layers which may undergo changes simultaneously by adopting virtualization can be network, gateways, applications, endpoints and servers of an organization. They also intertwine with non-virtualized IT elements posing numerous security challenges for organizations to overcome.
These emerging challenges warrant that organizations look more closely for security capabilities which can do segregation of traffic, establish visibility over virtualized layer and assets, configure granular access rules, implement security zoning, understand virtualized data flow & file systems etc. As per our industry interactions cited in the DSCI-Cisco security thought leadership program some of the major security challenges of a virtualized environment are as given below.
Insecure connections: If the virtualized asset traffic is not segregated from physical IT asset traffic, then there lies a possibility of establishing ‘n' number of insecure connections resulting in data leakage or infrastructure IT security incidents.
Complicated access rules: The shift to a virtualized environment brings with it a complex map of provisioning ‘n' number of access for end users and resources. Organizations are trying to overcome this challenge by segregating their virtual infrastructure as a separate pool of IT resources and then configuring unique access rules for it.
Lack of visibility: Post virtualization, organizations struggle to visualize their virtual assets to perform effective monitoring and management. Visualization of virtual assets means establishing visibility on the virtual layer of IT architecture i.e. separating the guest and host environment, positioning the virtual servers and desktops within the physical IT asset environment etc.
Mixing of traffic: If no due diligence is carried out to understand the changes network will undergo due to virtualization, then the traffic of physical IT assets and virtualized environment get mixed with each other. The mixing of traffic results in ineffective monitoring of virtualized assets from both an IT and a security perspective.
Traffic data exposures: In a virtualized IT environment it is an arduous task to scan data files resident on virtual machines. Organizations are implementing security capabilities that can discover and classify sensitive information hosted on virtual machine thus reducing the number of data leakage scenarios. By swiftly identifying sensitive data exposures, these security capabilities reduce the risks of non-compliance, such as reputational damage due to data leakage incidents.
Some of the other security challenges are insecure provisioning in which device and user based provisioning becomes difficult to implement because of elevated access given to provide flexibility in operations and business demanding deployment of varied mobile devices to enhance productivity of the workforce in a virtualized environment.
Patch management of virtual assets in an offline state is also becoming a difficult affair to handle for the organizations, because very few capabilities providers support organizations on this issue.
Characteristics of security capabilities are changing dynamically to address exclusive issues of a virtualized environment. Some of them are not mature enough to secure virtual environments; however, there are plentiful capabilities which can help in achieving goals of security.
Organizations are looking towards evolvement of virtualization aware security capabilities which can result in enhanced integration levels, improved governance controls, establishing better visibility in order to establish a secure virtual environment - if possible more secure than a physical IT resource environment.
Inspite of the existence and diverse applicability of virtualization over several years, it is quite new in the galleria of various businesses ecosystem.
Although there are proven use cases in the industry citing major benefits of virtualization in terms of cost optimization, agile business delivery, reduced power consumption etc, the dice is not rolling due to listed and other security apprehensions. This makes it imperative to strike the balance between economics of virtualization and security issues attached with it.
This can be done if organizations can incorporate certain ingredients into their virtualization strategy, including but not limited to preparing organization IT architecture for the change, Identification of IT architectural elements which may undergo major changes , making sure that virtualization is right for your organization by referring use cases , putting required governance and technology policies in to place etc.