Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, September 02, 2009

Five Ways To Meet Compliance In A Virtualized Environment

RSA and VMware have released five best practices for locking down virtual environments and meeting compliance requirements.  The steps comprise platform-hardening, configuration and change management, administrative access control, network security and segmentation, and audit logging.

“It’s a good idea to talk about the intersection between compliance and security…. A lot of compliance regulations are written assuming the systems are physical—and that only certain administrators have rights to physical systems,” says Jon Oltsik, senior analyst at Enterprise Strategy Group.

“What if financial information sits on a virtual system and on a system with other [applications running on it]?  If a financial application runs as a VM on a physical system, where do the access controls need to be?  How are the regulations going to change to accommodate that?”

And compliance doesn’t always equal security—just take a look at some of the biggest data breaches of late.  Virtualization adds another dimension to that problem.  “You can have compliance without security and security without compliance,” Oltsik says. 

Configure the virtualization platform, both the hypervisor and administrative layer, with secure settings, eliminate unused components, and keep up-to-date on patches.  Virtualization vendors have their own hardening guidelines, as does the Center for Internet Security and the Defense Information Systems Agency, according to RSA and VMware.

“Virtualization infrastructure also includes virtual networks with virtual switches connecting the virtual machines.  All of these components, which, in previous systems, used to be physical devices are now implemented via software,” states the RSA and VMware best practices guidelines.  Extend your current change and configuration management processes and tools to the virtual environment, as well.

Server administrators should have control over virtual servers and network administrators, over virtual networks, and these admins need to be trained in virtualization software in order to avoid misconfiguration of systems.  “Careful separation of duties and management of privileges is an important part of mitigating the risk of administrators gaining unauthorized access either maliciously or inadvertently.”

Deploy virtual switches and virtual firewalls to segment virtual networks, and use your physical network controls in the virtual networks as well as change management systems.

Monitor virtual infrastructure logs and correlate those logs across the physical infrastructure, as well, to get a full picture of vulnerabilities and risks.;jsessionid=HQVORXCLBU4A3QE1GHRSKHWATMY32JVN?articleID=219501096

Posted on 09/02