How to clamp down on privileged users in a virtualization environment

* CA extends its virtual systems management portfolio with security management capabilities

Management and security, always a troublesome twosome, have reared their ugly heads yet again. This time, they're causing problems for virtualization initiatives, quashing deployment plans while IT managers grapple with how to finesse management and security of the virtual machines moving around the server infrastructure.

No surprise, then, that CA Technologies, with its aggressive pursuit of virtual systems management plus its security management expertise, has extended its CA Virtual management portfolio, introduced earlier this year, with an access control product. This isn't just any "do-everything" virtualization security product, but one aimed specifically at helping virtual system administrators get over the problem of virtual machine stall, says Andi Mann, vice president of product marketing at CA.

The product, called CA Virtual Privilege Manager, provides host access control and privileged user management. In other words, it enables management of root- and systems administration-level users with password management and access-control mechanisms as well as auditing and reporting of those privileged user IDs.

"In the virtualization environment, we've heard a lot of hype about things like cross-hypervisor and intramemory attacks, but customers tell us those are theoretical concerns. What they really have issues with are highly privileged users having root access to mission-critical and production environments," Mann says. "These users need a level of access to do their jobs, but that access gives them the opportunity to potentially make mistakes. For example, they might log into the wrong platform -- production instead of test and development -- at the wrong time and make changes that could prove a problem for auditing, compliance and reporting." (Read more about virtualization blind spots.)

Plus, he adds, the insider threat is a concern. "They don't want disgruntled users to be able to intentionally misuse the authority they've been given to make changes."

With CA Virtual Privilege Manager virtual systems administrators get the ability to manage the security of their virtual environments without necessarily having to work directly with the security team, Mann says. "It helps them overcome staffing issues in that they can do security and, more importantly, gives administrators the ability to provide privileged access but not on a 24/7 basis," he adds.

As part of its password management capabilities, CA Virtual Privilege Manager enables audited check out and check in of temporary, one-time passwords, explains Biren Gosai, principal product marketing manager at CA. Virtual system administrators can use out-of-the-box rules and workflows for passwords, but can also rely on "break-glass functionality" should log in be required quickly, he adds.

CA Virtual Privilege Manager also provides a variety of other capabilities, including the ability to harden the hypervisor service console, Gosai says. Administrators, for example, can restrict user access by time of day and segregate duties on a fine-grained basis.

As Gosai says, "Why wouldn't IT organizations not want the same level of visibility, control and security in their virtualization deployments as they're accustomed to having in their physical environments?"

Why not indeed?

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022