I thought this week we could look at issues that currently are of concern to quite a few of our customers  involved in virtualisation projects at the moment….. The current rise in virtualisation and cloud computing is forcing many organisations to reconsider the fundamentals of identification, authentication and authorisation (and beyond).  Analysts have actually predicted that in the rush to reap the obvious benefits of deploying virtual systems and applications, more than 60 percent of virtual machines deployed will actually be less secure than their physical counterparts. One reason for this is that virtual machines of today can operate over open systems, platforms and protocols, and are portable across systems.  As a result, the security complexities facing virtualised infrastructures can be easily overlooked - and potentially catastrophic.

“Without proper security planning, virtualisation could come at a cost that greatly outweighs the potential savings.  As such, access control, a fundamental component of any security design, will become a top-line issue in 2010 for managing virtual infrastructures, especially with privileged accounts that hold business-critical information.” 

Understanding Where the Privileged Information Lies
Many solutions exist to help end-users maintain their identities and passwords across systems.  To best protect proprietary information in virtualised environments, enterprises need to understand the different types of privileged accounts they employs, as that knowledge will ultimately drive the demand for automation.  An automated privileged account management system can enable enterprises to change access credentials on a scheduled basis or on-demand to better manage the data center infrastructure. 

On-demand and Run-time Access
Access to privileged accounts is necessary in order to connect to systems and update software, change configurations and manage other accounts or services; this is no different for virtual infrastructures.  Security systems will need to strongly authenticate and authorise the release of critical passwords to unattended programs operating on physical or virtual machines to alleviate the risk of data breaches.  This is a far more complex security challenge to resolve than end user or administrator access issues since programs and scripts, often unattended, require access to passwords in order to connect to backend systems like databases, file transfer systems and other machines. Employing automated security systems allows organisations to define policies and automate access code distribution at the point of usage which limits the exposure of the credentials that can lead to information leaks or breaches.  Individuals authenticating to the privileged management solution can be traced to the actual privileged account usage on the target system, making systems compliant with audit requirements even in a shared account environment.

Protecting Privileged Access as a Virtual Service
As virtual machines are dynamically provisioned within an enterprise to scale to business demand, the capacity security systems must scale in parallel.  To prevent capacity problems and ensure this critical piece of the enterprise will remain responsive to requests, security systems must be able to provision additional virtual services as needed. The virtual enterprise must monitor the performance of each virtual instance of the security systems to trigger automatic provisioning and de-provisioning of services according to demand changes for scalability.  Yet IT organizations need to understand that operating these solutions as a virtual service poses the same security challenges for the authentication system as it does for the systems it supports.  Self-management, in addition to virtual host and application management, becomes essential in case the system either introduces new weaknesses or security challenges in the enterprise.

Business Continuity
Security solutions must be able to provide credentials for numerous virtual machines in place at a specific point in time and synchronise the system to reflect those previous credentials and resume operations.  With a greater number of credentials to manage within a virtual environment, the challenge of promptly recovering from an outage increases significantly. To protect and manage virtualised information, automated privileged account management solutions can provide specific functionality that helps an enterprise revert credentials back to the values in effect at the time of a backup or snapshot.  For example, the enterprise management console for a virtual environment can alert the access manager when to revert a credential back to a previous value and update to those credentials; ultimately ensuring recovery and seamless security going forward.

The trend toward operating in a virtual environment will be led by its business benefits and will raise many new security and management challenges in 2010.  If implementation projects are not thoroughly thought through, virtualisation will be a new technology lever that an attacker can easily abuse.  Ultimately, advances in security technologies will afford the opportunity to automate many of the activities associated with deploying a virtual infrastructure and the applications that operate within it.

If these challenges above are familiar Salford Software offer free workshops around securing your enterprise. If you already have Identity access management in place and have virtualised or are in the process of virtualising I would seriously recommend a health check to ensure that your enterprise is additionally protected.

For more information please email me david.poole@salfordsoftware.co.uk