5 tips to audit and improve virtual server security

On the surface, security questions surrounding virtual servers don't seem much different than those for the physical machines on which they run. In fact, starting a virtual security audit by keeping in mind what you've already learned in the physical world is an excellent approach. Security analysts say the same practices, principles and basic common sense apply for a group of virtual servers as for any physical server farm. But, IT managers also need to factor in some additional considerations, due to the unique characteristics of the virtual world.

One example: software can be deployed so much more quickly using virtual machines that some steps in the typical provisioning process may have been eliminated, says Paul Love, director of information security at Standard Insurance in Portland, Ore. That, in turn, requires IT departments to make sure the necessary controls and oversight are in place, with the truncated time frame in mind.

"With virtual machines, it's very helpful to pay attention to the actual configuration of the system," Love says. "You need to really have a stable build so that when you deploy a thousand versions of it, they all meet management's requirements for what controls should be in place."

When Love's team audits security for its virtual server environment, it doesn't introduce new steps so much as extend the ones it already has for physical servers, Love says. That includes looking at the interactions among systems and ensuring that the operating system on which the virtual machine runs is secure and encounters no "configuration drift."

"We have to work very closely with change management," Love says.

As background research for auditing and improving your virtual security, you may want to consult guidance for securing virtual server environments that's available from the Center for Internet Security, the Defense Information Systems Agency and virtual server leader VMware.

"They [IT leaders] need to read these guides and come up with a summary set of lock-down and hardening policies that are customized for their environments," says Nand Mulchandani, senior director of product management and marketing at VMware. "If you just do that one thing, you will be vastly more secure and safe."

Virtual security tools can also help, but analysts warn clients to first consider the products they already use before buying new ones specifically designed for virtual servers. There are already 10 to 15 vendors offering VM-specific security tools, and that figure will probably rise to 30 by year's end, says Chris Christiansen, an analyst at IDC (a sister company to CXO media).

Consider this five-step checklist when securing a virtual server environment:

1. Conduct a full risk assessment to understand how resources have been separated and aggregated.

"Don't forget what you've learned about risk management and configuration," advises Pete Lindstrom, an analyst at Burton Group. "There's not a whole lot that has changed drastically, except it's sort of mind-expanding to consider the notion that a physical host has an entire network segment sitting inside it. That means you need to evaluate the configurations of the virtual machines themselves. Do that the same way you do any other configuration audit."