The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks. Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. This whitepaper explores the challenges of securing a virtualized environment and gives actionable solutions to address them
Virtualization is radically shifting how enterprises deploy, deliver, and manage applications and data. It offers tremendous benefits for business efficiency and agility: resource consolidation for controlling costs, greater scalability and higher utilization of existing assets and applications, and flexibility for adapting assets to meet current business demands.
Forrester asserts: “Virtualization is the norm; deploying a physical server is the exception.” It found that “server virtualization is nearly ubiquitous,” that “85 percent of organizations have adopted or are planning to adopt x86 server virtualization,” and that “79 percent of firms have or are planning to institute a ‘virtualization first’ policy.” By 2014, Forrester predicts that 75 percent of all servers will be virtualized. (“The CISO’s Guide to Virtualization Security,” by Rick Holland, et al., Forrester Research, Inc., January 12, 2012.)
Similarly, Information Week reports that adoption of server virtualization has grown to 97 percent in survey-respondent data centers. It also reports similar adoption rates in storage virtualization (86 percent), application virtualization (88 percent), and desktop virtualization (76 percent). (“Next-Generation VM Security,” by Kurt Marko, Information Week reports, June 2012).
As more enterprises virtualize their infrastructures, they also face new threat vectors. In the rush to virtualize applications and other assets and realize the fiscal and management benefits of virtualization, IT managers must continue to protect IT infrastructures from hacking incidents, inadvertent insider damage, and malware attacks. Servers, applications, networks, and end-user devices are becoming dynamic and unpredictable.
Virtualized assets are susceptible to the same threats and vulnerabilities as traditional assets but traditional security devices offer limited visibility into virtualized environments, where assets and their security postures are constantly changing. Incidents in virtualized servers can escalate rapidly and cause considerable damage. Determining the risk level associated with a given vulnerability remains vital to prioritizing mitigation tasks.
The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks.
Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. With security infrastructures lagging behind virtualization adoption, a vulnerability management solution that provides immediate risk assessment plays a critical role in helping security managers protect virtualized assets and data.
You must extend your vulnerability management program into your virtual environment. Server hardening, including patch management and configuration management, is a core element of vulnerability management. A number of good resources are available to assist you with hardening your virtual servers. You must also ensure that you are conducting regular vulnerability assessments, including scanning and penetration testing, of the environment. …You should include virtualization-specific penetration tests to validate the hardening and security controls of the environment. (Forrester, Ibid., p. 9)
Scheduled scans remain useful in virtualized environments, but the dynamic character of virtualization presents new kinds of risk. The constantly fluctuating environment requires continuous and comprehensive security monitoring to detect changes as they happen.
The vulnerability management solution should include these capabilities:
To better understand the need for these capabilities, consider the challenges and solutions below.
Virtual machines spin up and down all day long. Some VMs may activate many times a day, while others may spin up once a month. An IT administrator can provision, operate, and delete a VM before a traditional vulnerability scanner can check it for vulnerabilities. Periodic scans assign inactive VMs a risk score of 0. There’s inherent risk if that potentially-vulnerable VM spins up again before the next periodic scan kicks off.
Security managers need to know when VMs become active, so they have the option to scan them immediately and assess their risk levels. Without requiring operator intervention, the vulnerability management solution should be able to interact with the hypervisor to detect VMs as they come online and maintain an accurate database of discovered resources. More importantly, a security manager should have the option to configure the vulnerability management solution to automatically scan critical resources when they spin up and issue a scan report upon completion.
Storage snapshots are a valuable data protection capability. However, a rollback or restore may expose a VM, and the system it resides upon, to a previously fixed vulnerability. For example, rollbacks may revert a VM to an older software version that needs critical patching. A periodic scan may not discover this exposure for days or weeks. Another scenario is a rollback reinstates a configuration error or other vulnerability that is exploitable by malware, and a malware attack may have caused the crash.
If the vulnerability management solution is in communication with the hypervisor, it should be able to detect rollbacks and restores and send an alert to the management console. The security manager should have the option to configure the vulnerability management solution to automatically scan assets after a rollback or restore and issue a scan report upon completion. For example, such scans can immediately verify that software versions remain compliant with policies after a rollback, or expose the exploitable errors or vulnerabilities and allow security managers to mitigate them.