CISO Perspectives | Securing virtual government environments
- By Special to GCN
- Sep 16, 2008
The unmistakable and obvious appeal of reducing the data-center
footprint and realizing significant cost savings by converting 20
or 30 physical servers into virtual machines running on a single
system is hard for even the most conservative and risk-averse
government organizations to resist.
Beyond the many compelling traditionally IT-based benefits
— fewer servers, lower energy bills, faster hardware, ease of
use — there are also a few information security-focused
benefits that should appeal to both government and private-industry
Virtual environments provide the capability to encapsulate an
operating system, an application and its associated data into the
equivalent of an application running on top of an operating system.
The package, which can be saved as an image file that can be easily
transmitted to an off-site location, can potentially address the
disaster recovery and business continuity problem currently
crippling most federal CISOs.
In addition, the appeal of sandboxing — creating
virtualized environments for today’s cyber forensic
practitioners who must examine and dissect potentially hostile
programs such as spyware, Trojans and computer viruses — is
However, with the rise of virtual machine adoption rates,
federal government CISOs are faced with the challenge of
effectively securing virtualized environments with little
overarching guidance from the standards-setting bodies. And there
are very serious knowledge gaps in the systems administration,
security practitioner and audit communities.
Virtual machines also expose organizations to the possibility of
massive data breaches because entire applications can be stored as
a disk that can be transferred off-site and installed on another
system — a sobering fact with massive security implications.
Combine that with the number of virtual machines that can be
created — each with open ports — and it’s clear
that virtual environments introduce huge new security concerns.
Virtual servers present new avenues for employees to circumvent
established data security policy and regulations for servers and
overall network and data security. The fact that virtual servers
are so easy to deploy means anyone can create a server without
going through the proper channels. The results can be unauthorized,
untested and noncompliant servers deployed to the operational
environment unbeknownst to the IT department.
Although Office of Management and Budget Memo M-07-11 directed
the implementation of National Institute of Standards and
Technology configuration checklists in NIST Special Publication
800-70, many of today’s configuration assessment tools are
not designed to work in virtual environments. Additionally, federal
network security specialists are still getting up to speed on
configuring network security settings for virtual machines and
learning the tools for managing virtual environments. That
increases the opportunity for the release of configuration settings
that introduce risk.
Federal CISOs also need to be aware that a primary benefit of
virtual machines — their ease of deployment to meet peak
demands — quickly becomes a detriment when they are used and
removed without any record of the administrative activity that has
occurred on them. Once a virtual server is removed, obtaining a
trail for compliance-audit purposes becomes nearly impossible.
Furthermore, virtual environments are subject to regulatory
compliance and require the same IT controls. From a certification
and accreditation perspective, the literal interpretation of NIST
SP 800-37 guidance on system recertification requirements due to
“significance of change” could imply that each
instantiation of a virtual machine should trigger a system
recertification due to the impact on existing security controls in
the otherwise accredited system or new vulnerabilities likely
introduced into the system by the new virtual machine.
In addition, the annual configuration compliance reporting
requirements of the Federal Information Security Management Act
would imply that individual instantiations of virtual machines
should be included in agency reports to be included in the tally
for the FISMA score card.
There are some proven benchmarks federal CISOs can apply to
limit their risks from virtualized environments, including:
- Limiting physical access to the host.
- Hardening the base operating system.
- Installing firewalls between virtual machine layer service
- Encrypting communication.
- Implementing virtualization server authentication.
- Disabling features, including screensavers and suspend
- Securing file sharing between host and guests.
- Using time synchronization.
- Following NIST SP 800-70 guidelines for hardening guest
- Disconnecting unused devices.
- Implementing secure remote management.
- Implementing vulnerability and patch management.
- Implementing auditing.
- Implementing file integrity checking.
Federal CISOs can expect the explosive adoption rates of
virtualization to continue. Unfortunately, the flexibility that
makes virtual machines such a useful technology can also undermine
security within organizations and individual hosts.
Current research efforts on virtual machines have focused
largely on the implementation of virtualization and its
applications. However, further attention is needed due to the
security risks that accompany the technology and should focus on
developing security tools, tactics, techniques and procedures to
better address those risks.