Security in a virtualised world - moving with the times

Opinion by Joe Baguley

For almost every single organisation, its data is its lifeblood. Preserving the integrity is paramount, and so securing data has become one of the biggest challenges of doing business in the digital age.

For almost every single organisation, its data is its lifeblood. Preserving the integrity is paramount, and so securing data has become one of the biggest challenges of doing business in the digital age.

It hasn't always been this way, of course. A business used to store all its important information in a physical archive with only a limited number of people allowed access to hard copies of the information.

An archive room, if broken into, could result in the theft of confidential data. Today, even the smallest of offices produces mountains of digital data accessed by many people who don't even necessarily have to be physically present in the office.

Technology has offered businesses large and small vast opportunities, but we need to make sure we secure our most important digital assets; while in the past an intruder would have needed a crane to steal 30,000 customer details, today a hacker does not even need to leave his desk.

For the last 20-odd years, securing your digital assets has mostly meant implementing firewalls, endless rounds of anti-virus patching and relying on intrusion detection systems to keep out unwelcome digital visitors. With many SMEs now realising the benefits of server and desktop virtualisation, offering staff flexibility, unlimited scalability, simplified IT, carbon footprint reduction, cost savings and more, the old security approaches are fast becoming out-dated.

Security must always be at the heart of any IT system or strategy, it cannot be an afterthought. Security needs to act as the immune system of the virtual environment, an intrinsic part of the whole rather than an add-on. SMEs therefore need to throw out their old ways of thinking when addressing virtualisation.

In a virtualised environment, it no longer makes sense to think of security as protecting physical IT assets. The real assets being protected – data, applications and operating environments – are now contained within virtual machines (VMs) that move across the underlying physical infrastructure.

Security policies need to be associated with the virtual entity (machine, application or data centre) and they need to remain persistent as the entity migrates across physical assets. This means that anti-virus can be implemented as a single virtual security appliance serving many virtualised end-user environments, rather than installing on each endpoint.

This works because, out of sight to the end-user, a virtualised environment is an extra layer between an operating system and hardware, which is called the hypervisor.

While previously the operating system handled the security function, it is now the job of a hypervisor. The hypervisor helps manage and secure all the components of the infrastructure, including virtualisation hosts, management servers, virtual storage and services such as authentication and monitoring.

Data and virtual machines are often moved from one server or site to another automatically, many times a day, depending on requirements. A particular virtual machine might be suspended for a variety of reasons, but as soon as it is made live again, it needs to receive the latest security patches, or else it poses a risk. Virtualisation enables this, as well as dramatically enhancing business continuity capabilities by restarting virtual machines on working servers using the latest replicated image if the underlying infrastructure fails, without any interruption to the application or end-user.

Advanced threats today typically breach the perimeter via a weak point and bounce around inside the virtual environment until they find what they are looking for. What this means is that the highest level of security is achieved by protecting each virtual entity: machine; application; and data centre.

A single management framework can then instantly detect and act upon the threat in any part of the system and can even quarantine a virtual machine that is compromised. Different levels of security can be applied to the virtual entities depending on their importance. The net result is that as virtual machines/applications are moved around the data centre, security policies inextricably move with them.

Unfortunately, it seems that many SMEs have so far taken a rather relaxed approach to security in a modern computing environment. A recent Symantec survey across 28 countries showed that on average, only 40 per cent of an SME's server environment is completely secured. Even of those businesses with "secure" virtualised servers, 78 per cent had no anti-virus protection, 48 per cent had no firewall and 74 per cent had no endpoint protection.

The fact that security aspects are so neglected by SMEs is very surprising, as securing your environment does not have to be expensive and, in fact, can take away much of the management burden for staff.

Products are available that were specifically built to secure SMEs' virtual and legacy infrastructure and that offer levels of automation previously only available to enterprises at large expense. These include automatic scan and patch management of offline and online VMs that even collate updates from third-party providers, and automated backup procedures and real-time file scanning for all threats, including spyware, adware, malware and viruses.

What's more, while high availability was previously a luxury only large enterprises were able to afford to ensure business continuity, technology such as virtual storage appliances and automated site recovery tools now also enable SMEs to enjoy these benefits at a fraction of the cost of traditional methods.

If your organisation has already made the first steps into the cloud, there is also no reason you should not be secure. Any concerns over the security of embracing the public cloud can be dispelled by selecting cloud service providers that have adopted an open approach and constructed their offerings with virtualised security built in at every level.

On the other hand, if your organisation has established its own internal or private cloud, it is advisable to invest in technology that lets you manage and secure your entire virtual infrastructure, from automated patch management and helpdesk ticket management to software licence and hardware asset management – end to end from a single web interface.

By adopting a private cloud approach built on open standards of VM formats and open management and control interfaces ensures that complete compatibility can be achieved with external cloud service providers. With this compatible, hybrid cloud approach, virtual entities can easily move, along with their security and compliance attributes, from the private to the public domain, and vice versa.

Security is the stick that has historically been used to hit virtualisation and, more recently, cloud computing. Because we have worked so long in a purely physical IT landscape, people are naturally far more comfortable when they can see and touch security devices.

Security concerns only need worry organisations that have not moved with the times and stuck to their out-dated processes. Just as we moved from a lock on a physical archive cupboard to encryption technology to secure digital data, we now have to move with the times again and adapt to the new requirements of a virtual world.

While security is a difficult subject for SMEs for which security requirements are frequently changing depending on business growth and strategy, it can't be ignored. A secure virtual environment can be as secure, if not more so, than a physical one, but it has to be at the heart of your IT infrastructure and not tacked on as an afterthought.

What is needed is an entirely new approach to security. In the physical world your organisation may have got away with a lax approach, but in a dynamic virtual environment that knows no borders, carelessness could be costly.

Security does not have to be seen as a necessary evil; through the flexibility of a virtualised infrastructure that allows for high levels of automation and paves the way towards the cloud, it can considerably simplify the management of your IT environment and become part of your business growth strategy.

Joe Baguley is chief cloud technologist EMEA at VMware


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events