When looking at how virtualization and cloud have changed traditional security, a lot of it has to do with visibility. Until recently, security was focused on physical controls and visibility into the network, and so solutions were designed to sit on the perimeter or in-line with the network. Intrusion detection and prevention is delivered through in-line IPS and next generation firewalls that feed Security Information Event Managers (SIEMs or SEMs) which logs the traffic and notes any discrepancies based on the policies and controls that the SIEM device was tuned to watch for. This is standard practice in all IT shops, but what changes with virtualization?
Suddenly we have a huge field of abstraction with virtualization, sortof like a gigantic bubble that covers the virtualized environment. An external network security device is only good at detecting traffic until it hits the physical server. It cannot see the inner workings of virtual environment beyond any changes made to the host that would normally be detected on a traditional security device. But since the whole point of virtualization is to load a server full of VMs to maximize the ROI on infrastructure, what happens to the security policies that were applied in the physical server space when the servers are virtualized?
The key problem is that traditional SIEM devices just can’t see into virtualized environments. This means that any changes done within a VM environment cannot be tracked. Big security problem as you can imagine. But it’s not just the threat of people spinning off virtual NICs or duplicating VMs and then moving them to another server undetected. It extends to figuring out why the whole infrastructure crashes because a faulty patch was installed, or if a third-party plugin is causing a memory leak.
The unique capabilities of virtual environments mean that users can create, clone and move virtual machines without being detected by external security controls. Administrators cannot see who is accessing the virtual environment and if this access poses any threat to the infrastructure. A SIEM can also act as a forensic tool for determining what caused a particular failure in the system and to verify the root cause. In order to have proper logs that can be audited for security purposes, or just to be able to review and understand why something unexpected happened, you need to have a device that can see the inner workings of the virtual environment.
Luckily these technologies are starting to hit the marketplace. Some of the largest SIEM manufactures such as RSA now have the capability of tapping into virtual environments and report on exactly what is happening on the inside. This means another layer of visibility beyond virtualization management tools. It also helps ensure that compliance requirements are being met, as they can map to individual standards such as PCI or HIPAA. As virtualization management tools become more sophisticated, the requirement for proper visibility will become more critical to ensure the virtual environment meets compliance standards.