Five steps to safer virtual servers
At the Black Hat conference, HP chief security strategist provided virtualization security advice
At last week’s Black Hat conference, virtualization security was one of the hottest topics and sources of debate. If you are trying to understand how your enterprise’s virtualization security stacks up, consider this advice from Chris Whitener, chief security strategist, HP Secure Advantage, as smmarized by CIO.com’s Chris Whitener:
1. Protect your host operating system by using server hardening tools and methodologies. Additional OS features such as isolation capabilities and strong security between OS partitions makes it easier for you to decrease the “attack surface” of a host OS.
2. Ensure that your host OS is as secure as the guest operating system. A virtual machine inherits all vulnerabilities of a host OS. Select a virtualization technology which provides strong security isolation (enforces distrust) between guest OS instances if needed. If organizations are concerned about malicious software in one guest OS attacking another OS, or don’t have mutual trust among administrators of the different guest OSes, then the virtualization layer must be designed to enforce the idea of distrust.
3. Security policies in the host OS should reflect requirements of individual virtual machines. Using the host OS to implement compliance requirements further enhances your assurance of compliance. It can be relied upon independently of trust in the administration of the guest OS.
4. Manage virtual processes more like you already manage your physical resources. The host OS security lifecycle and virtual machine security lifecycle(s) must both be managed efficiently thought the data center. Ideally, the virtual infrastructure would be managed in the same way as physical resources. This includes software configuration, updates and patches, auditing and performance monitoring.
5. Stay vigilant about securely managing the physical infrastructure.
Deploying workloads on virtualized platforms make them more mobile, and provides flexibility and agility; this does not mean that the physical infrastructure can be ignored. The physical infrastructure has a critical role in supporting the good execution of those workloads, and the security of the virtualized infrastructure depends on the physical resource configuration and access control being managed securely across the data center.
