Wednesday, August 8, 2007

Virtually Secure

Christofer Hoff has a good post here. In particular,
Combine that with NAC agents on the hosts and...whether or not it actually works is neither here nor there. They told they story and here it is. It's good to be king.
His point being that Cisco doesn't have to worry about when they are going to deliver a product or even how will it will work when they do ...

Meanwhile, back in your virtualized data center, you can be warm and happy knowing that Cisco's virtually shipping product has you virtually secure already. Nice, huh?

What about Real Security -- Real Security for Virtualized Infrastructures? You've deployed half a dozen quad-core systems and thrown out 150 obsolete boxes. Maybe you had IPS and NAC in your datacenter already, but do you have it now? If your virtual windows 2000 server get's infected and starts attacking the other systems on the host, how will you know?

Maybe you will know when the infection begins to spread to other hosts and their virtual servers, but by then you will have a real mess on your hands.

The right answer involves doing something today, not waiting for a vendor to implement a solution next year. Here is the pragmatic prescription for today, virtual servers are servers, period.

If there reliability and security are important to your business then you have to secure them with same mature IT processes that you use for everything else:
  1. Specify the appropriate security requirements at the start
  2. Determine and implement secure baselines that meet your business and security requirements
  3. Validate/test that the performance and security of your systems meets the stated requirements before you put them in production
  4. After deployment, test them again -- virtualization really helps you here
  5. Use change control and segregation of duties -- (ITIL and ISO 17799 driven) processes and controls to keep working systems, working
  6. Patch management and vulnerability management are a continuous process -- don't treat these problems with a calender ... not unless you like emergencies
  7. Continuously monitor your network and systems, use the protection appropriate to the value of the data or business operations, such as:
    • Gateway: firewall, anti-spam, anti-malware, content filtering, vpn ...
    • Network: vulnerability monitoring, IDS/IPS, NAC, Policy management and compliance ...
    • Endpoint: Anti-malware, AAA, log analysis, patching, encryption ...

  8. Disaster/Business continuity planning, incident response and training have to include your virtual infrastructure -- DR/BP might be a big driver behind your virtualization effort, but nothing substitutes for a good test.
Do all of the above, appropriately to the level you need, don't wait to become the next security breach. It's more about the process than the tools.

No comments: