– Edmundo Costa, CEO of Catbird, says:
Three reasons drive the requirement for virtualization security: compliance costs, compliance complexity, and compliance enforcement. The virtualized data center, described interchangeably as the Software-Defined-Data-Center or the Converged Data Center, is now the foundation of most private-cloud infrastructure. While this technology evolution began with the virtualization of the compute layer in order to pool resources and reduce costs, it has now expanded into every layer in the data center stack: storage, management, and the network via Software-Defined Networking (SDN). At the heart of the new data center is the notion that as physical devices become software layers in the data center, they can be managed as software service components that can be programmed and managed as part of a policy. So what about security? The same benefits that drove virtualization of compute, storage, and management will also drive virtualization of security. Those key benefits are cost, operational efficiency, and flexibility, all of which become critical as organizations prepare for an audit.
Bringing Simplicity to the World of Compliance
Data center technologists are scarce (and thus busy) people, actively looking for ways to reduce burdensome and complex processes. Compliance audits are the quintessential target. Virtualization security can deliver the compliance simplicity IT is looking for with the added benefit of supporting their security and compliance operations counterparts. Security as software promises:
- Lowered audit risk by making security part of standard operational processes through integration of security controls into existing management and operational processes, delivering cradle-to-grave assurance for the entire VM lifecycle with no human intervention
- Controlled audit scope (i.e. prevent audit creep) by maintaining tight scope control through automated enforcement actions to stop or revert events that would violate policy and bring systems out of compliance
- Reduced audit costs by automation of audit processes and assurance of compliance posture, achieved thru continuous security monitoring and enforcement correlated to hypervisor events like changes to VMs or SDN
An Easy Choice, Right?
Actually, it’s no surprise that enterprise IT security folks have a healthy skepticism when it comes to embracing a new approach. Many data centers in transition continue to rely on physical data center security architectures that are rigid and complex. Classic network security has relied on stateful devices and static machine and network identities that are challenging to work with and difficult to change. This complexity is compounded still by the necessity of having to deploy a multitude of dedicated appliances to enforce any kind of defense-in-depth protection. I would argue that the power of virtualization security is during audit time. That is when it can make a significant impact because it is when the operations team must meet the challenges posed by the transformation from physical to virtual infrastructure.
Without the power of virtualization security, data center IT and security teams face new complexity, costs, and audit risk. To meet this challenge, data center operators are forced to redirect scarce resources, key operating personnel, and subject matter experts (SMEs) to prepare and pass audits at significant costs and disruption to the business. Compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS 2.0) and ISO27001 have specific requirements around virtualized components. Some of the specific challenges that I have seen at audit time include:
- Capturing, aggregating, filtering, and reporting on changes to the VM population or VM configurations, specifically around vNIC configuration changes including VLAN
- Capturing, aggregating, filtering, and reporting on data flows for in-scope systems on the virtual switch fabric
- Demonstrating positive assurance of control for isolation requirements between and across in-scope and out-of-scope VMs—critical to maintaining audit scope control
- Continuous monitoring of new abstractions layers and more complex event streams
Without virtualization security, audit time is a costly and complex process of accommodating old-school controls to the new virtualized infrastructure. Also, new risks of audit findings and expanded audit scope emerge as auditors are increasingly aware of the impact of the data center transformation on the effectiveness of controls.
It’s All About the Audit
Auditors measure their clients’ activities against regulatory control guidelines and, in general, these security standards have recognized that virtual infrastructure is subject to rapid changes requiring continuous monitoring. The ability to capture, catalogue, and report on events is fundamental to these principles and control failures can result in audit fines and the widening of the audit scope, costing millions in audit time and fees as well as disrupting business operations. Every year, regulatory bodies are tightening requirements for continuous monitoring, as most recently reflected by the new PCI DSS 3.0 effective January 2014. PCI DSS 3.0, [EC1] for example, has placed an emphasis on maintaining an accurate status of data flows (Requirement 1), inventory scope (Requirement 2), and common vulnerabilities (Requirement 6). Similarly, the Cloud Security Alliance (CSA) Cloud Control Matrix Version 3 [EC2] also calls attention to virtual impacts on Change Control & Configuration (CCC) and Data Security & Information Lifecycle (DSI). The CSA Matrix emphasizes the requirement for baselines for infrastructure and measurements of events against applicable statutory, legal, and regulatory compliance obligations.
So Is Physical Network Security Dead?
I am, of course, not saying that physical security devices do not have their place; they are an important piece of securing the physical infrastructure. Yes, some folks believe in a zero-trust Model. Most of the customers we work with, do not. Quite simply, in a virtualized world, physical security devices were not designed to protect the virtual components within cloud and data center architectures. Such “traditional” security depends on physical devices being deployed on the perimeter of the data center on physical networks. These devices depend on network inspection and are therefore blind to the significant security-related activity within virtual infrastructure, whose networks they cannot see. What I am saying is that, within virtualized environments, security can be improved and the audit process simplified.
A New Approach to Virtualization Security and Compliance
Catbird vSecurity is software that brings to network security the same benefits that we’ve seen in other layers in the virtualization stack as well as delivering compliance simplicity and audit scope reduction. With the right tools in place, virtual infrastructure can be more secure and efficient than ever before. For organizations with compliance requirements, virtualized security can deliver a less complex, less costly, and significantly less disruptive audit process.
