Can’t My Existing Physical Security Protect Virtual Systems?
Physical security devices were not designed to protect virtual infrastructures such as virtualized data centers and private and hybrid clouds. Such “traditional” security controls depend on physical devices deployed on the perimeter of the data center or on physical networks. They are not well-suited to protect virtual assets for two main reasons:
- It is hard and cumbersome to route traffic from within a virtual infrastructure to a physical security control located outside of the virtual environment. Technically it can be done through for examples VLANs, but in reality the dynamic nature of the virtual infrastructure makes such solution hard to manage and maintain.
- Traditional perimeter devices are very effective at applying and enforcing course-grained security policies across a a large volume of network traffic. In a virtual infrastructure you want to complement this with fine-grained security policies wrapped around each workload or group of workloads. This approach to security – also known as micro-segmentation – requires the use of software-based virtualized security controls deployed within the virtual fabric itself.
Virtualization, many benefits, but also challenges
The use of virtualization technologies comes with many benefits such as agility, flexibility and cost efficiency. At the same time the introduction of virtualization also introduces new challenges:
- A new virtual network fabric, often blind to physical security devices
- A new threat surface: the hypervisor
- An all-powerful virtual administrator, collapsing roles
- Machines becoming files, leading to mobility, rapid change and opportunity for theft
Security professionals need to recognize what is new and adapt their security practices to accommodate. If not, virtualization will pose a significant security risk. Indeed, in recognition of these changes, independent 3rd party standards bodies, such as PCI and NIST, have modified their standards and recommendations. Their updated specifications acknowledge that without appropriate technology and training, virtualization and cloud systems will introduce significant security and compliance gaps. Such gaps include unprotected networks, access control failures, loss of change controls, new threat surfaces, breakdowns in separation of duties and escalation of privilege. Virtualization security addresses these potential gaps while also reducing cost and complexity.
Positive impact of virtualization on security
While IT does need to update their own security practices and corporate governance in the face of virtualization, the net impact of virtualization on security can be extremely beneficial. Virtualization improves security by making it more fluid and context-aware. When using software-based security solutions, security becomes more accurate, easier to manage and less expensive to deploy than traditional physical security.
Security in a virtualized data center can also be more fully automated. Virtualization security gives data center administrators the power to automatically provision secure machines, automatically have security policies follow workloads when they move, automatically set up firewall rulesets for classes of servers and automatically quarantine compromised or out of compliance assets, amongst many examples.
With the right technology and processes, virtualization has the power to make data centers even more secure and compliant than their physical counterparts.