July 19, 2011, 3:46 PM — The move to almost fully virtualized computing environments is driving a fresh approach to security in the enterprise, according to information technology security managers applying controls for VMware and Microsoft Hyper-V.
"We're very close to being 100% virtualized," says Gurusimran Khalsa, systems group supervisor in the state of New Mexico's human services department. That organization's servers are based on VMware's vSphere, and a virtual desktop project is being started, too. The agency's 170 server-based virtual machines (VMs) run in its local data center, with a range of Web applications, multi-tiered IT systems, file servers, domain servers, SharePoint and SQL servers.
ANALYSIS: New security demands arising for virtualization, cloud security
Because of a security breach that occurred a few years ago -- the loss of sensitive data was considered so serious that several IT staff were laid off -- the agency in Santa Fe has sought to keep a tight rein, requiring two-factor authentication to get into servers and introducing "air gaps" to protect some sensitive data. But at the time, while the benefits of virtualization, such as server consolidation, were being introduced, it wasn't fully understood how this transformation would impact security, says Khalsa.
Increasingly, there was concern among security and compliance officers that if VMware's vCenter management console were compromised, the game would be over. "It's the central point of access to vCenter that manages our production environment," says Khalsa.
To beef up controls there, the agency decided to install the HyTrust virtual appliance, which intercepts administrative requests to the virtual infrastructure to determine which requests are in line with the organization's policies. "We have a couple of vSphere admins at a higher level of access," says Khalsa. HyTrust can be set up to ensure only certain workloads are permitted to boot up in specific hosts or clusters, and it can label virtual objects and apply policies to them.
The agency also began using the Juniper vGW Series firewall, which is based on its acquisition of startup Altor Networks last December. "The firewall is positioned between the VM and vSwitch," says Khalsa. "It's set up similarly to a regular firewall, with least privilege."
While the agency still uses VLANS to cordon off some servers, the Juniper virtual gateway firewall provides far more granular controls, and has the ability to do introspection on the VMs to see what's installed and set rules based on that, says Khalsa.
Other agencies and businesses say they also needed to look at new approaches for security in their virtualized environments.
"We're about 80% virtualized," says Rick Olejnik, chief information security officer at Brookfield, Wis.-based law firm Rausch, Sturm, Israel, Enerson & Hornik (RSIEH), which specializes in debt collection and has offices in 13 states.
One of the main concerns the law firm had was securing credit-card data in its VMware ESX server environment, even though the credit card numbers are defunct. About a year or so ago the banks and financial institutions which are RSIEH's clientele made it clear that although these are no longer active card numbers, they still need to be protected according to the Payment Card Industry rules.
That meant encrypting them. Ojenik said that led to the decision about eight months ago to deploy the Vormetric appliance for encryption key management along with encryption software on ESX servers to encrypt PCI data at rest, while the agent software works to un-encrypt the data to allow the application called Collection Master to access and process information.
"It's happening at the kernel level and there have been no performance issues at all," says Olejnik. But besides adding encryption to the virtualized computing environment, another security control at the law firm depends on using the Palo Alto Networks application-layer firewall to partition off VMs. "This allows us to do the segmentation required on our internal network," says Olejnik.
