Virtualisation is becoming a predominant feature in how IT services are delivered and managed. While the benefits are huge they come with increased security risks that are only now being understood.
The vulnerabilities of virtual infrastructure stem from how virtual machines are purpose designed to be easy to share and copy. When combined with how virtual data centres or multi-tenanted cloud services have multiple privileged users, how do you stop your confidential data being stolen or administrators tampering with your high-value information?
So it is unsurprising to me that virtual hacking is straightforward. Acquiring someone’s password remains too easy if you have hacking skills and once cracked you have free rein with a virtualised environment to copy and steal at will.
The response of organisations who have or use virtualised infrastructure must be firm. To start with there are too many vulnerabilities that are preventable. For example too many virtualised infrastructures compromise key services that have web servers and thus offer back door access via the web that can be broken down.
Shutting down avoidable flaws is obvious but there is something more surprising that organisations should do. Accept breaches happen and convert them into secure breaches or a data loss that you can live with because it isn’t a data loss at all. This means having processes and technologies in place that kill the data and make it useless if it falls into the wrong hands. In essence, security is embedded in every piece of data that’s valuable to you.
Key to achieving this goal is having a data encryption plan in place that allows you to ensure you maintain control of data in a public virtualised environment. An important element of this is the ability to audit activities and store digital keys separately from the cloud service provider.
This prevents rogue administrators and any other potential adversaries from having access to sensitive and protected information. They will on one hand still be able to administer and operate the system but since they are not in possession of the encryption keys, they will be unable to access any data.
The other central pillar of this strategy is to get rid of passwords and replace them with robust multi-factor authentication for users and administrators of virtual services at all times. Availability of authentication as a service offerings (AaaS) mean that the obstacles to widening secure authentication are removed because management processes are simplified and new software authentication solutions meet the required security standards.
The far-reaching benefits that virtualised environments offer mean that they are now a fundamental aspect of how IT works. However it’s undeniable that they need to be protected and the value of doing this should be fully appreciated.
Not only do policy makers need to answer demands for improved data protection, our industry also needs to consider how to achieve accepted security principles – confidentiality, integrity, availability, accountability and auditability – in a virtual world.