Virtualization technology is used extensively within IT Infrastructure environments, within internal organizations, by service-provider organizations and by cloud-service providers. Many virtualization technologies are utilized from z/OS LPARs, Solaris Zones and Containers, Oracle VMs, Linux KVMs to Microsoft Hyper-V and VMware vSphere technology used in x86 Virtualization.
x86 Virtualization is used primarily for hosting Windows Server and Linux Operating guest OS environments and is the predominant technology based on number of hypervisors (virtual-machine managers) and number of guest-operating systems (VMs) used within most IT infrastructure environments.
Given the many benefits of x86 virtualization technologies and their widespread use, there are also a number of key information-security and control risks that need to be identified and mitigated to provide an appropriate level of protection for an organization’s information assets used within these environments. (These assets may include Windows Active Directory environments including Domain Controllers and Member Server environments; key business-application-system environments consisting web server; application-server and database-server components; and key IT infrastructure services such as Exchange Servers, SharePoint Servers).
Key risk areas that need to be assessed include:
· Lack of security architecture and design requirements for hypervisors and their supporting management infrastructure
· Lack of configuration management, build and deployment processes for hypervisors and guest-operating systems, including key security-configuration requirements
· Lack of appropriate segmentation / isolation of guest-operating-system environments based on security and regulatory / compliance requirements
· Inappropriate security design and deployment for virtual networks
· Inappropriate management of privilege for virtualization infrastructure and hypervisor environments
· Lack of change-management controls for configuration change; patch management and firmware updates
· Lack of management of VM sprawl
Many of these risks can be mitigated based on development and use of the process-based controls and procedures in the following areas:
· Security Architecture and Design
· Configuration and Asset Management
· Secure Build and Hardening
· Privilege Management
· Security Alert Monitoring
· Change Management / Patch Management
· Vulnerability Management
· Compliance Assessment
Join me at ISACA’s North America ISRM/IT GRC conference in Las Vegas next month to learn more about the key risk-and-control requirements for server-virtualization environments. Discussion areas will include key-virtualization risks, security-and-control issues (based on VMware vSphere), key security-and-control requirements for VMware ESXi5 servers and vCenter; control requirements for privileged administrative users; and security-configuration standards and compliance approaches.
I hope to see you there!
John G. Tannahill, CA, CISM, CGEIT, CRISC
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.