Securing the virtual environment
So you have you a shiny new virtual environment up and running. You may have virtualised all your servers, so that your business-critical databases, CRM systems, ERP applications and email all reside in a virtual environment. It has been a long project, but now it is complete and you are experiencing the operational, performance and cost gains. Stop! Think! Have you covered all the bases? Have you thought about security?
I ask the security question a lot, and in most cases the response is either: “Security is not my responsibility.” or “”Yes I have considered this and we have implemented the same security as we had in our physical environment.”
These responses illustrate a common misconception – that a virtual environment is inherently more secure than a physical one. This is wrong. A malware attack doesn’t distinguish between a physical or virtual device. Cybercriminals pay little regard to the environment. They are just looking for the easiest way in! There are even Trojan attacks designed specifically to attack virtual machines.
Another objection I hear to my security questions is that malware cannot survive the decommissioning of non-persistent virtual machines (VM). Again, rubbish. Some malware can jump from VM to VM and from host to host.
Finally, cyber-crime does not stand still. There has been a massive increase in the volume of malware and the attacks are constantly evolving, leaving physical and virtual environments at risk.
There are three options for securing your virtual infrastructure – that is, of course, excluding the fourth option of having no security at all!
1. Traditional “agent-based’ security
This can provide you with a good solution, although there are some significant drawbacks. Consider the reasons you moved to a virtual environment in the first place. Cost savings and optimisation are likely to be included in your rationale. By installing software not optimised for a virtual estate, you are loading a separate copy of anti-malware, software and signature updates on every endpoint. This duplication is massively wasteful in a VM environment.
On top of this you have the resource nightmare of potential “AV storms’. All your VMs updating at the same time slows everything down and can even bring your environment to a complete halt. You can also leave your systems vulnerable through what’s known as an “Instant On Gap,’ the window of time after a VM spins up, but before the agent on that VM downloads the latest security updates.
For virtual systems, optimum consolidation ratios ( the greatest possible density of VMs for your money) is the main goal. Traditional protection is inefficient in virtual environments, taking up resources which could be used to add more VMs. However, at least with this approach, you are protected and have not left your systems vulnerable to attack.
2. “Agentless’ security
This is the next option. Now we are moving on to protection that is designed to optimise security in a virtual infrastructure. The security software is loaded onto its own secure virtual machine and no agent resides on the other VMs in the estate. This allows them to run smoothly with no duplication or redundancies, helping to make the most of your investment. It also means you can get the security up and running very quickly and there is no need for time consuming reboots.
This approach is at the other end of the spectrum to the “agent-based’ approach, addressing most, if not all, of the downsides. However, you don’t get something for nothing and if you look at this approach in more detail, there are a few drawbacks.
Firstly, you are relying on your security vendor integrating with the virtualisation vendor. This means that the range of advanced features such as application control, device control and web control may not be available to you. Also, some virtualisation vendors don’t have the technology inbuilt to enable this approach. You are moving back to pure anti-virus/anti-malware protection, with none of the enhanced options endpoint security gives you.
So if “agent- based’ is at one end of the spectrum and “agentless’ is at the other, is there another option that gives you the best of both worlds? The answer is yes – with “light-agent’ security.
3. “Light-agent’ security
In this architecture, the security software is still loaded onto a secure virtual machine, but an additional lightweight agent is installed on each VM. This unlocks the potential for deeper, multi-layered protection, including features such as web, device and application policy enforcement. Now you have achieved most of the benefits of the “agent-based’ and “agentless’ approach, giving you the flexibility to setup the most appropriate security posture for your environment.
You may now be scratching your head and wondering how you are supposed to manage all of this and your workstations, laptops and mobile devices. You are managing enough different consoles at the moment. You want to keep things as simple and straightforward as possible because complexity is the enemy of security.
There are security vendors out there that enable you to manage all types of endpoints from one single console. This allows you to effectively manage your security policies and close any gaps that would exist, when using multiple products and management consoles. However, be aware that not all “single’ consoles are identical. Some provide a portal into multiple other consoles (with different interfaces).