Keeping Secure? Virtually Impossible
The last 12 months has seen an incredible transformation from traditional IT towards a new, digitalised world which has begun to redefine the industry entirely. One of the key trends was the virtualisation of services which continues to gather pace. However, a virtual environment presents an array of virtual threats.
Every month we talk about how fast changing the industry is, and it’s true, IT moves at an incredible pace. Technology is like a game of poker, it’s very challenging to know when to stick or twist when it comes to market moves. Missing one key trend can be very damaging for a company; it can be left behind in an instance. Therefore, making bold decisions is critical to success, as history suggests.
However, making quick decisions and adjusting strategies in a quickly changing environment can make a business very vulnerable to new threats which are becoming increasingly sophisticated and advanced, tapping into many different avenues of enterprise.
One of the key challenges is managing to protect your assets in a virtual environment. Virtualising your servers, storage, and hardware is highly beneficial to businesses, increasing productivity, reducing cooling costs, simplifying management, etc. However, making the bold move to change your environment which is fully protected, understood and managed is going to open up avenues for new attacks and threats which the company will be responsible to react to.
Perhaps the logical first step is to identify the major differences between traditional and virtual environments.
“In virtual environments we do not always know the exact location of our data and the server where it is stored. Data and applications can travel from one server to another, go to the cloud and come back to the server,” says Alexander Zarovsky, Head of Business Development, InfoWatch.
“In these circumstances, the traditional corporate perimeters become fuzzy and unsteady. That’s why the old model where we have a fixed perimeter with all-round external protection doesn’t work in a virtual environment. The latter needs an “inside out” security approach where you need to build security perimeters around each virtual machine and travel with it from one location to another.”
Zarovsky makes the point that the switch up between hosting data internally, in a data centre which can monitored by the company, and, essentially, giving that data up to a third party owner in a virtual data centre, creates a gap in between owner and protector. Therefore, the control of the company is significantly reduced.
However, Miguel Braojos, Vice President of Sales, SEMEA, SafeNet, believes that, although the concerns are justified, measures are already in place to counter the fears and allow businesses to be more confident when making the switch.
“It is true that there is still by default some reluctance by Middle East organisations to host their sensitive data in a public cloud based as they fear loss of control and ownership of their data,” he says.
“While some of these concerns are understandable, as the exposure to the cloud service provider’s administrators is real, there are now advanced data centric security solutions such as encryption and strong authentication, which can truly help organisations feel reassured and retain control, protection and ownership of their data.”
Increasing the challenge
It’s no secret that with a new type of data environment, a new type of challenge will arise. Identifying ways that cyber criminals can attack virtual servers is a critical step towards to eliminating the threat.
“Protecting virtual environment is more challenging than protecting physical machines. In the initial days, the virtual factor of the virtual environment itself made the environment secure and when the popularity increased for the technology, the number of deployments increased and hence the threat and risk related to the environment increased,” says Walid Kamal, Senior VP, Technology,Du.
“The virtualisation engine or hypervisor in the entire solution is the key component which is exposed to access and security related issues more internally than externally. An attacker can gain access to a host in a virtual environment and gain access to other hosts through the hypervisor or directly through processes shared between the virtual and physical resources within the same virtual environment, which earlier was well segregated with firewalls,” he adds.
Tarek Kuzbari, Managing Director, ME, Kaspersky Lab, also highlights issues led by virtualising environments – adding that the issues brought by physical servers aren’t necessarily redundant with virtual servers.
“All viruses designed for physical servers are just as dangerous for virtual machines. That is why any claim that virtual machines are less vulnerable than physical ones is just a myth,” he claims.
“Moreover, one infected machine can threaten the operation of other virtual machines running on the same host server. Additionally, most malicious programmes can be stored on a virtual machine even when it is inactive, and resume their malicious activity when it wakes from standby mode.”
Braojos adds: “As more data moves to private or public clouds, the number of super-users with access to an organisation’s data multiplies, the risk of VMs being copied without the owner knowing increases, the possibility of temporary file trails rises, and the organisation’s data is more vulnerable to being compromised.”
Making sure you’re secure
Mitigating these new types of threats can be done in many ways; either tried and tested methods can be applied to the new risks, or specially developed methods can be implemented.
Kuzbari of Kaspersky and Kamal of Du have separate opinions on this subject. Kamal believes that traditional security is still key to protecting a virtual environment. He claims that the following are the most vital protection solutions: Guest isolation and controlled host privileges, isolating management interfaces, planning for VM mobility and creating the usage of trust zones, and implementing role based access control policies to limit administrative capabilities and to enforce separation of duties.
However, Kuzbari votes against this principle, suggesting that specialised solutions are better.
“In my opinion, specialised solutions are the best choice,” he says.
Of course one of the major talking points which businesses will want to bring up, when told to secure their virtual environments, is cost. How do the prices of securing virtualised servers weigh up against the traditional, physical servers? Braojos answers anybody who has a concern over costs.
“The cost of protection is insignificant, compared to the cost of not protecting an asset in the current IT Security landscape,” he states.
“The higher the value of the data assets, the higher is the risk of a successful breach. For strategic assets, protection is mandatory. A simple example is the cost of protecting Disaster Recovery Virtual Servers versus the risk of breach to all the relevant organisation data.”
The next step, when it comes to virtual security, may be making sure that these complications, concerns and issues are addressed so that seamless, confident deployment of virtual environments can take place.
The consensus is that these steps have been put in place by major security companies, but the policies which integrate virtual servers with traditional and virtual security couldn’t come fast enough.
However, how much time and investment can go into a service which may only be a trend? Does enterprise have all the answers?
“It’s difficult to do any forecasts now because virtualisation may be a transitional period between workstations and tablets,” believes Zarovsky.
“Microsoft recently announced changing their business strategy from software to services concept. Android Market, App Store, etc cause rapid development of software applications for mobile devices. And the security environment will obviously evolve in the same direction.”
Nicolai Solling, Director of Technology, Help AG, says that from his perspective, these policies and solutions are on their way.
“In help AG we monitor this area a lot, and I can only say that we do not have a single partner that is not currently thinking about or bringing out solutions on how to secure the virtual environment – So there will absolutely be a lot of new enhancements coming out.”
Kamal looks forward to the coming years and the changes we can expect from virtualising IT environments.
“Today the challenge is that although virtualisation solutions are drastically deployed in data centres, only few servers might be virtualised in reality,” he says.
“The coming years will see a lot of application, hardware virtualisation which will be a driver for security organisations to develop more and more virtualisation related security solutions like virtual firewall. On the other hand the technological hardening efforts and security compliance policies will affect some of the prime feature of VM mobility. The tie-breaker would be a fair analysis and come to a common ground between business requirement, cost efficiency and meeting security requirements.”
Virtualisation appears to have been welcomed with open arms in the IT world, certainly in the Middle East. Of course, any new technology will attract its fair share of cyber criminals and hackers who sense opportunity. Security vendors are always hard pressed to stay one step ahead of the game, but keeping tabs on all current and upcoming threats is virtually impossible.