Wednesday, 29 April 2009

Security in a Virtualised Data Centre

Following on from a successful week at the RSA conference in San Fancisco where I was on the cloud computing panel, Secerno has a strong presence is at the European InfoSecurtiy show in London.

I had the pleasure of sitting on the Security Expert Forum: Security in a Virtualized Data Centre. IT was moderated by Freeform Dynamics’ John Collins and had Owen Cole, Technology Director of F5. It was a well attended session with some lively debate from the audience.

My view on this topic is:

  • Data Centre Virtualization can be GOOD because it enables consolidation and reduces operating costs
  • Data Centre Virtualization can be BAD because the mobility and architecture neutralizes the single most effective security tool – physical firewalling and network segmentation.

In my panel summary I outlined the following 10 points (which I promised to post on this blog)

1. Match Mobile Security to Mobile Resources
In a virtualised environment it is possible to move VMs at real-time from one host to another which provides resource mobility. All security defences must also be deployed in a mobile-compatible manner. Consider for example deploying virtualised firewalls that move with the resources they protect (see the next item)

2. Virtualize Firewalls
Within virtualized environments there are fewer physical network cables to plug firewall and IDS/IPS devices. Take advantage of products that are virtualized and logically cable them into the virtualized environment.

3. Design-in choke points
A lesson from the bad old days of flat networks was that network segregation and choke-points were a strong tool for the information security professional. Virtualized environments risk the return to flat networks internally. With some upfront architectural care it is still possible to design choke points into virtualised environments.

4. Consolidate Security when consolidating data
As data sources proliferate so can the security measures to protect the data. When consolidating data using virtualization to bring business benefits take the opportunity to rationalise and consolidate the data security.

5. Develop Securely
Poorly engineered software is a high risk whether it is hosted traditionally or in a virtualised environment. Always ensure that a Security Development Life Cycle is applied when developing business critical software.

6. Drive out complexity
Complexity is the enemy of security. Resist the unmanaged and unkempt proliferation of Virtual Machines and drive out complexity at all levels.

7. Protect data in motion with active control
Take every opportunity to proactively control all data flows in the enterprise regardless of whether the architecture is virtualised or not.

8. Plan for the worst
Things always go wrong. Good planning and preparation can reduce the risks and costs when things do go wrong.

9. Intelligently Monitor and Audit
Ensure that live monitoring of systems and how they are interacting and passing data is build into the operating environment. Make use of Security Information Event Monitoring systems as well as other audit trails. Be vigilant in manning these monitoring systems so incidents do not go unnoticed. Enact well rehearsed response plans for all incidents.

10. Insist on Data at rest Encryption
The ease with which a VM can be copied and moved to another machine for study makes it important that all data held in the VM be strongly encrypted.

Please feel free to send feedback on this list.