Blogger: Trent Henry
Here at Burton Group we’ve been looking at x86 virtualization and its impact on security. In my recent report on that topic, I specifically called out how auditors respond when they encounter virtual systems. The major issues include:
- Separating systems with perimeters and limiting audit scope
Hardening systems against attack and maintaining patches (including hypervisors themselves and offline guest machines)
- Protecting data in easily replicated virtual machines
- Controlling privileged user access and activity
- Monitoring virtual systems
- Recognizing that control environments can change dynamically among hypervisors
Generally, auditors are just beginning to acknowledge these issues—especially vis-à-vis PCI. But they’re getting savvier with each passing moment.
What they don’t yet understand are storage virtualization and converged fabric. With technologies such as iSCSI and Fiber Channel over Ethernet (FCoE) emerging, lots of new security questions arise. (And it’s not just the auditors in the dark; I think the whole industry is grappling with these.):
- Block-level access to disk across ethernet: What do we do about clients whose access represents not just a single file system, but huge amounts of disk spanning multiple servers and OSes?
- Authentication: How do we ensure that proper authentication strength is enforced (despite being turned off by default) and move from simple CHAP techniques to stronger mutual authentication?
- Authorization: How do we move beyond spoofable initiator node-name authorization to something better?
In July at Burton Group’s Catalyst Conference (in San Diego), we’re dedicating an entire daylong topic to the issues of Storage, Networking, and Security for the Dynamic Data Center. Have a look at Thursday’s agenda and try to join us for the conversation.