Cyber Security Institute

Friday, July 27, 2007

Virtualization’s New Benchmark

The nonprofit Center for Internet Security (CIS) is about to release a security benchmark that gives you the lowdown on how to lock down your virtualized systems.  Virtualization may be convenient, efficient, and eco-friendly, but it’s also a big fat security risk if you don’t configure it properly. 

Chris Farrow, director of the center for policy and compliance for Configuresoft, says the creation of a security benchmark for virtual machines began last year.

Some large financial firms were retooling their data centers with virtualization, and they urged CIS to consider addressing virtual machine security as well.

“We found that no one was building a best-practices [model] for securing the virtual infrastructure,” says Farrow, who works with the CIS, which is made up of vendors, universities, consultants, government agencies, and enterprises.

Configuresoft is among the organizations working on the security benchmark, which will include benchmarks for specific virtualization software, including VMware’s ESX Server, Microsoft’s Virtual Server, and Xen Virtual Machine.  To prevent malicious activity from a “guest” virtual operating system, for instance, the benchmark recommends disabling the copy-and-paste operations between the guest OS and the remote console, says Joel Kirch, information assurance programs manager for WBB Consulting and a member of the CIS team working on the virtualization benchmark.

http://www.darkreading.com/document.asp?doc_id=130189&WT.svl=news2_1