The information security challenges of virtualisation

Gartner has speculated that: "Virtualisation will continue as the highest-impact issue challenging infrastructure and operations through 2015.”  They further estimate that: “More than 80 percent of enterprises now have a virtualisation program or project.”  One can, of course, understand virtualisation’s appeal.  Beyond the obvious costs savings, it delivers numerous benefits, including, among others, faster provisioning, which means faster time to market of new services.  It reduces the number of physical machines that a company must maintain, which simultaneously reduces space requirements.  And, it can also run multiple operating systems on a single piece of hardware, thus enabling an organisation to run sundry applications on an individual server. 

Easily overlooked, however, in this extravaganza of benefits is the problem that virtualisation creates for managing regulatory compliance.   For example, how well protected is your vital data?  How visible to your organisation is the hardware environment in which your applications are running and in which your data is stored?  Of particular importance, what is your organisation’s visibility into the hypervisor? 

To answer these questions (and others), virtualisation implementations require that organisations undertake a rigorous due diligence exercise for each of its compliance programmes, and then continue to monitor them throughout their lifetimes as an essential part of a continuous improvement programme.   Although this dictum applies to any area of compliance, it is particularly challenging for managing the requirements of PCI DSS.  There are two primary reasons for this.  Comprehensive information security is ill-defined within PCI DSS, rendering it insufficient as a compliance standard in this area on its own.  And, although PCI DSS 2.0 addresses the issue of virtualisation, many organisations are still concerned regarding how best to provide hypervisor security.  This is true whether the hypervisor environment is hosted or bare metal. 

As NIST, for instance, points out, “It is . . . important to provide physical access controls for the hardware on which the hypervisor runs.  For example, hosted hypervisors are typically controlled by management software that can be used by anyone with access to the keyboard and mouse.  Even bare metal hypervisors require physical security: someone who can reboot the host computer that the hypervisor is running on might be able to alter some of the security settings for the hypervisor.”  It is important, therefore, that organisations segregate hypervisor management networks from other segments of their networks, including having a separate NIC.    Of particular importance is isolating the cardholder data environment from all other virtual machines that are not part of this environment, and ensuring that all software updates and patches are current.   In addition, remote administration of hypervisors should only be carried out through authorised personnel using robust cryptographic technology, such as FIPS-approved algorithms and modules

For overall information security, we recommend applying the best practice guidelines of ISO 27001/2, which can serve as an umbrella that creates a protective arc over the more granular requirements of PCI DSS 2.0.   With the threats to information security that organisations face both internally and externally, following such thorough guidelines ensures as bullet-proof an information security environment as they are likely to attain.

http://www.d2ops.com/