DiData says companies not securing virtualised environment COMPANIES ARE RUSHING to embrace systems virtualisation without any regard for the risks or for securing the environment, says , GM, solutions.

Ramjith says that, as a result, research firm has commented that the short-term gain from virtualisation might be outstripped by the long-term risk being introduced into the environment.

Speaking at ITWeb Security Summit 2008, Ramjith said Tavis Ormandy, a senior research fellow at Google, had warned in a paper that willy-nilly implementation, without planning, would result in "dramatic" exposure to threats.

While there was a huge uptake of virtualisation technology taking place, Ramjith said he was led to ask: "Is there anybody in our market who is thinking about this? And a little bit of research said no." On the contrary, many people were doing exactly what Ormandy had warned against, he noted.

THE RISKS

He said risks included total compromise, "where an attacker takes over the entire VM (virtual machine) environment, the entire server. The whole point of virtualisation is to put the optimum instances onto a single piece of hardware. So basically, you`re creating a mini data centre on a single server. And if anybody owns that, you`ve got a good chance of actually exposing a lot more than you intended."

Another risk was that of partial compromise, where an attacker was able to get information about the rest of the environment, using the virtual machine as the entry point into the rest of the environment.

No silver bullet

Ramjith said, while there was no easy way or single product to secure the VM environment, there were common-sense steps that could be followed to help secure the environment when adopting virtualisation.

These included developing a strategy, which would include assessing the business benefits, readiness and impact assessments, considering the VM business continuity planning requirement, and considering often overlooked issues such as support skills, licensing and patch management.

He urged delegates to implement administrative access control and also implement systems controls and best practices for successful deployment. Among other things, vendor evaluation should include "baked in" security criteria.

Tags: Security  Summit