Securing access and identity in a virtualised environment

August 2016 Information Security, Integrated Solutions

Virtualisation is unquestionably compelling technology. It has the potential to link IT and business at the core by providing improved flexibility, resource efficiency and continuity capabilities, thereby fulfilling the agility, cost, quality and risk requirements of today’s enterprises. Moreover, in leveraging virtualisation technology, IT departments can approach 100 percent utilisation of a physical server, which can reduce operational costs associated with floor space, personnel, bandwidth and power and cooling.

Michael Horn (CISSP), CA Southern Africa.
Michael Horn (CISSP), CA Southern Africa.

While the benefits of virtualisation are often publicised, the challenges it creates don’t always get the same attention – especially when it comes to security. One reason for that is, over the past fifty years, security for strictly physical IT operations has become well established. Whether one is talking about identity management, application security, access and information control or user activity logging and reporting, the majority of physical servers out there are being protected effectively. They have years of process evolution and best practices to thank for that.

Effective virtual server security, however, is not as ubiquitous, fact which becomes apparent when one examines the fundamental differences between physical and virtual servers. Whereas organisations can stack servers away in a room and protect them from unwanted access with physical controls – unsecured virtual servers can be cut, copied and pasted from the virtualisation host as easily as a file on a PC. Additionally, and for better or worse, with the hypervisor serving as a single management point for all virtual machine (VM) images, a person with hypervisor access suddenly has control over many business-critical services.

Compromising the hypervisor to download an image or introduce a rogue VM is equivalent to breaking into a server room and stealing a machine or introducing an unauthorised server into the data centre. Virtualisation consoles can be accessed with the right privileges; and native operating system security does not provide the protection required to meet regulatory compliance and security best practices.

What can organisations do to secure a virtualised environment? They can take the following three steps:

• Managing roles, identities and applications.

• Controlling the access of privileged users.

• Improve auditability and compliance.

Roles, identities and applications

When identities are not managed well in the physical world, the access problems this creates increase exponentially when moved to a virtualised environment. Organisations can counteract this by leveraging software that clearly defines and manages user’s roles and coordinates with an identity management solution to help ensure that users are only granted privileges appropriate to their positions. With such a solution in place, uncontrolled, over-privileged users become a thing of the past – as does their ability to wreak havoc on business-critical systems and applications in a virtual environment.

The other side of the security spectrum is the need to manage secure access to applications by users, as well as other applications or services. In a virtualised environment, application servers will go on and off-line as computing demands ebb and flow.

Controlling privileged users

In a strictly physical IT infrastructure, normal users are identified and controlled by the operating system and application security. They may make mistakes or attempt misuse, but provided the controls are set correctly, they cannot breach confidentiality or damage the system. In contrast, privileged user access goes above operating system security with a username and/or password that is often shared between administrators – essentially turning it into an anonymous, communal ID.

Virtualisation compounds this problem. Since administrators have control over the physical host and all of the virtual sessions running on it, they also have access to sensitive data and can impact business continuity.

Without an independent access control solution, multiple privileged users could get into the hypervisor and copy VM images – along with the data and applications they hold. These images could be brought back online on an unsecured network (e.g. for quality assurance and development purposes), making it easy for an intruder to access the contents within. Organisations can avoid this nightmare by implementing an access control solution that provides the ability to dynamically limit the permissions of normal and privileged users in a virtualised environment.

Auditability and compliance

Given the power a virtualisation platform has over the stability of an entire data centre – as well as the integrity of the data it manages – it must be viewed as a critical infrastructure component. As such, it should be subject to the same compliance requirements as a physical environment. Therefore, businesses must track the interaction that each user has with the virtualisation platform, as well as within each of the VMs it hosts.

Companies hoping to achieve compliance in the virtualisation age need a solution that tracks and audits access to the host operating system. What’s more, this solution needs to support auditability across all VMs, as every instance is subject to the same compliance requirements.

For more information contact Michael Horn (CISSP), CA Southern Africa, +27 (0)11 417 8765, michael.horn@caafrica.co.za.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deception technology crucial to unmasking data theft
Information Security Risk Management & Resilience
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
Future trends for electronic safety and security in mining
Fang Fences & Guards Mining (Industry) Integrated Solutions AI & Data Analytics
The mining industry is ever evolving, driven by technological advancements and the growing need for enhanced safety and security measures, with significant innovation seen in turnkey electronic security for mining operations.

Read more...
Unlocking enhanced security for mining
Mining (Industry) Integrated Solutions
In the dynamic landscape of African mining, security remains of paramount concern as threats evolve and challenges persist, and mining companies seek innovative solutions to safeguard their operations, assets, and personnel.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...