Story image

Consolidation: less isn't always more

01 Apr 10

A lot of attention has been given to making sure virtual machines (VMs) are updated, manageable and protected. Now, with the introduction of virtual infrastructure and physical hardware pooling, a whole new set of challenges awaits us, many of which are only just becoming apparent. Security zoning is essential in the design of any system and, while often overlooked, it has long been a proven strategy. So how can something such as virtualisation affect how we zone our systems?

Security zoning is based on the core concepts of classification and compartmentalisation. Both data and systems are classified into groups of differing sensitivity. Classified data is stored separately from general data. Critical and high-security systems are segmented from public systems. Accounts used to access high-security systems are never used on low-security systems. The required level of security determines the amount of compartmentalisation. The purpose is to prevent less secure or low-priority systems and data from compromising more sensitive systems and data.

Virtualisation design will often focus on maximising the rate of consolidation to produce greater savings and lower running costs. When this is combined with the ability to pool physical hosts and storage devices, we begin to create security concerns. Now the domain controller is running on the same host as the print server and is stored on the same storage as the public web server. Suddenly all the security zones and segments become virtualised as well. Communication between VMs becomes largely invisible to traditional security systems, running outside the virtual environment, and a compromised host affects all of its VMs regardless of virtual segmentation.

Physical access to hosts in a large environment based on secure racks becomes harder to regulate, as it is not apparent whether a particular server is hosting sensitive systems at any particular time. There is also the question of management. What point is there to virtual network segmentation and zoning when a handful of management workstations and user accounts are used to access them all?

In order to provide higher levels of security we must look beyond consolidation to preserve our security zones. In lower-security environments, implementing virtual security and UTM appliances between our virtual network segments and machines will provide much-needed security and management of communications between VMs. In higher-security environments it is necessary to augment this further by providing separate hardware pools for each zone, to prevent VMs of different sensitivity from co-existing on the same host or storage device.

Researchers have already highlighted some of the potential risks involved in large-scale hardware pooling with the internal mapping and prediction of VM placements within a high-profile public cloud. How do we, for example, manage the zoning of our systems from not just each other but also the systems of other entities hosted in a third party cloud? Clearly this is one of the biggest barriers to wider adoption of cloud-based systems and is a question to which cloud vendors have yet to provide a satisfactory answer.

The key point to remember is that no system or platform is inherently secure, and virtualisation is no exception. Virtualisation provides us with a powerful platform on which to base our systems, but if we wish to secure them there is more to consider than rack space and cooling costs.

How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Review: Blue Mic’s Satellite headphones are good but...
Blue Mic’s newest wireless headphones deliver on sound, aesthetic, and comfort - but there is a more insidious issue at hand.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
David Hickling in memoriam: “Celebrate the life and the music it made”
Dave was a well-respected presence in the IT channel and his recent death was felt by all the many people who knew him as a colleague and a friend.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."