As regional enterprises take to virtualisation across server and storage platforms, it becomes imperative that they re-examine their security investments and modify the organisational mindset to protect their information systems and data better. Sathya Mithra Ashok explores the subject.
Virtualisation is probably the most discussed technology move today among organisations in the Middle East. The multiple benefits that these set of technologies can bring across the server and storage platforms has created a situation where more and more enterprises are discussing implementing it or taking due steps to deploy it.
As Fadi Ayoubi, systems engineer at Cisco puts it:“Virtualisation is becoming one of the most important aspects of today’s networks due to the efficiency it provides in deploying new services and making them available within the corporate infrastructure. Virtualisation within the network infrastructure in general, and in the data centre in particular, is pushed by most vendors and is getting adopted by enterprise customers. This change towards virtualisation is creating new challenges for infrastructure and security teams in providing consistent levels of isolation, monitoring, and policy enforcement — similar to what is available with physical servers and systems today.”
The virtualisation of information systems within enterprises should go hand-in-hand with adequate measures to safeguard these systems. However, security remains of low priority to many regional organisations that are actively working with virtualisation.
“A large number of virtualisation projects in the Middle East are either in the testing phase, or are being deployed to support non-critical applications rather than transaction-heavy functions that involve the interchange of large quantities of data. Under these circumstances, security is not a top consideration,” said Johnny Karam, regional director at Symantec.
Even when they do consider security while deploying virtualisation, most organisations do not realise that defending a virtualised environment is quite different from protecting a physical one.
“Virtualisation introduces a different set of security issues — one related to virtual machines (VMs) and the hardware layer. With the hardware layer such as graphics, network and processor cards gaining access to the VMs, they see everything in these machines. In a virtualised environment, if the host is compromised, it is possible to take down the client servers hosted on the primary host machine. Hence, in a virtualised environment the security of both the VMs and its host systems are primary,” points out Guru Prasad, GM of networking and security at FVC, value-added distributor for Google Enterprise, delivering service and support on its behalf in this region.
According to Rubén Espinosa Gil, regional marketing manager EMEA South of RSA, the security division of EMC, ideal security solutions for a virtual environment need to be information-centric, contextual and risk-based, capable of maintaining their effectiveness in a virtual world and eventually living in the enterprise cloud.
“Extending enterprise security controls to virtualised applications — enabling persistent, pervasive and scalable deployment of security solutions across the virtual infrastructure — requires a four-pronged approach — assess and understand risks, secure the virtual infrastructure and leverage it, and secure cloud computing,” added Gil.
As most regional enterprises are new to virtualisation and its associated functions, they often tentatively use the same solutions and processes being used for their physical environments.
“Essentially, the virtual data centre has eliminated conventional perimeters and boundaries. The resulting conundrum — how to balance the appeal of virtualisation with the need for security — often results in two unsatisfactory options, forge ahead on virtualisation projects while ignoring the incremental risk created by these new technologies or limit the extension of virtualisation technologies into environments containing sensitive information. In the first case, organisations are potentially exposing themselves to a risk level that cancels out cost savings. In the second, they are likely to fall behind both competitively and in their own cost-control programmes. Obviously, neither scenario is ideal,” stated Gil. Defensive tactics
According to industry experts, securing virtualised assets can be easy, and the apparent conundrum easily answered, only if enterprise end-users would think of virtualisation security as essentially different from physical defence tactics.
“Most enterprises deal with security for virtualised systems on the strength of their host and client security. The fallacy is in the belief that if the hosts and clients are secure enough, then the virtualised environment is also secure. Also many organisations treat virtualisation and VMs as a tool to provide flexibility to their OS deployments,” said FVC’s Prasad.
The first step to achieving success in protecting virtualised systems involve the consideration of the deployment as a strategic step, and the due inclusion of the information security team in the planning and implementation stages of the required solutions.
As Prasad puts it: “Keeping the vulnerability of a virtual environment in mind, security becomes a priority. It is imperative that the security team should be an inherent part of every virtualisation project to ensure that it has the right level of security to match the needs of the project. A virtualisation security layer or a VM manager needs to be created to ensure that the level of security is complete and assured.”
Enterprises should also take care to defend the access layer in order to protect their VMs from any malicious activity.
“Layer 2 security policies that in traditional data centre architecture are enforced at the access layer need be extended to the virtual layer. The access layer and virtual access layer serve the same logical purpose. The virtual access layer is a new location and a new footprint of the traditional physical data center access layer,” said Ayoubi.
“The virtual access layer is mainly a virtual switch that facilitates communication between multiple VMs on the same physical server. VMs should only communicate as per the general security policy and, unless the virtual switch provides this enforcement, applications and services run risks of being exposed to attacks from a neighbouring VM (running on the same physical server) which has been exploited. Preventive measures need be to be taken and security policies need to be enforced at the access layer.”
Simply implementing the right security in organisations is not entirely sufficient. According to vendors, this has to be managed efficiently to gain required performance levels.
“It’s important to manage security proactively, which can be achieved most effectively when the virtual and physical environments are managed together. Security is a complex operation and customers have some options available to them. One is to simplify their virtualisation management through a management console; another would be to outsource security management to a company,” said Karam.
Team involvement, protection of the access layer and efficient management are just broad guidance parameters for achieving effective security with virtualisation technologies. As with any IT implementation, security in virtualisation involves a lot of details that vary from enterprise to enterprise, and necessitates the presence of trained personnel.Since the region lacks in skilled IT people with adequate experience, this often means that organisations investing in virtualisation and necessary security elements will need to send their existing IT staff for training as well.
“Advanced training on the setup of VMs and the environment would be very necessary to augment the standards based security training already provided. While the basic tenets of networking security prevail, there are added layers to virtualised security that need to be understood and implemented. Like any new technology training enhances these skills,” said Prasad.
Even when adequate training is provided, organisations are faced with other challenges when they take the step to securing their virtualisation investments.
“The most challenging obstacles to enabling and securing virtualisation lie within the organisation itself. While specific knowledge and skills in systems, storage and networks will remain critical, the challenge then becomes making the sum of the parts greater than the whole. No longer can data centre teams work in silos. VM intelligence is moving out to the network as network intelligence is moving into the server. The traditional network access layer is collapsing into the server architecture. Servers now host more network intelligence in the form of a virtual machine-aware software driver or a software switch. The demarcation thus becomes not one between server and network, but one similar to server and application. Network access now begins in the server – not at the end of a copper cable – yet it will continue to be managed within the network by a network specialist. This new paradigm demands cooperation among data centre teams and mutual understanding of the services that these teams collectively provide,” said Ayoubi at Cisco.
RSA’s Gil states: “The greater challenge today is to maximise virtualisation benefits without compromising security and compliance. A well executed plan also helps you obtain buy-in from key stakeholders throughout your organisation, avoiding pitfalls that could otherwise jeopardise success.”
According to Aziz Ala’ali, regional director, Middle East and Africa at Extreme Networks the biggest challenge is management visibility.
“This is especially true for storage management and planning, which has become an extremely expensive prospect in the virtualisation era. In order to take advantage of the mobility of VMs offered by enterprise virtualisation solutions, organisations must place these machines on expensive storage networks, a not-so-insignificant detail that some enterprises don’t consider before deciding to virtualise,” warned Ala’Ali.
Winning the battle
However, the biggest challenge facing enterprises is that concerning mindset. Most organisations working with virtualisation often believe either that their virtualised systems are, by default, immune to attacks, or that their current investments in network and server security are sufficient for their virtualised assets as well. Nothing can be further from the truth.
As Cisco’s Ayoubi puts it: “The same security risks and concerns faced in a physical server or physical data centre extend into a virtualised world. A misconception about a VM is that it’s somehow immune to these problems or the host server will somehow protect it. VMs need to have the same networking concerns addressed and the same virus problems attended to as physical machines.”
Prasad adds: “Virtual computing platforms cannot be deployed securely simply by dropping them into existing systems. Realising the full benefits of these platforms demands a significant re-examination of how security is implemented.”
Enterprises working with extensive virtualisation need to consider security minutely and understand that different tactics, and at times different products, are necessary to safeguard their data. When that mindset is firmly entrenched in an organisation and processes established around it, half the battle of defending virtualised assets is already won.
For all the latest business news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.