As if they needed more stress, organizations are facing evolving and increasingly stringent compliance regulations from the Payment Card Industry, as well as Sarbanes-Oxley, HIPAA and others. Here are a few security compliance products that can make the audit process less excruciating.
Here are 10 of the distributor's hottest new offerings winning over solution providers.
New smartphones from Sony, Motorola and the first-ever Twitter-only mobile device -- the TwitterPeek -- headline a busy week for handset makers as the holiday shopping season heats up.
Plotting Security Strategy In A Virtual World
5:19 AM EDT Fri. Sep. 21, 2007
Page 1 of 2
Yet like a Pacific Ocean tsunami, the departure of the wave signals not a falling tide, but the building of a new and larger wave of hype and confusion about how the growing virtualization of server infrastructures impacts the security of the data center.
Virtualized servers are in many ways similar to physical servers, with each individual virtual or physical server requiring processor time, memory, I/O, and an operating system to run an application which does not care on which type of server it is found.
Yet the difference between having an application run on a dedicated piece of hardware or on one of several virtual servers sharing resources within a physical server is spurring a debate about the best way to protect the virtual world.
In one camp are those who say that virtual servers primarily need the same type of protection tools—anti-virus, anti-spam, firewall—as any physical server.
In the other camp are those, especially a host of startups and relatively unknown technology developers, who say that server virtualization brings its own potential areas for malware exploits requiring a new set of tools to handle security issues.
While security is an important issue in any part of the data center, customers have yet to express concern about the security of their virtual servers, said Kevin Houston, business development manager and virtualization practice manager at Optimus Solutions, a Norcross, Ga.-based solution provider.
"A lot of people don't think virtual environments need protection," Houston said. "They have perimeter security to protect against external attacks, and an inside perimeter to protect against internal threats."
Within the host servers, virtual servers are often not protected, Houston said. "But no customers say they are worried," he said. "But remember, this is still new. Just a year ago, customers were still looking at whether they wanted to virtualize servers or not."
There is a great need for securing virtual server environments, Houston said. "But I don't think recognition of the importance has penetrated the customer environment yet. It probably won't happen until someone penetrates a virtual environment and gets a virus to spread from virtual machine to virtual machine."
Paul Adamonis, director of security solutions at Forsythe Solutions Group, a Skokie, Ill.-based solution provider, agreed that it will take a major breech to bring security to the forefront.
"That will happen when you see the first rootkit at the hypervisor level," Adamonis said. "Then you'll see everybody scrambling."
For now, Adamonis said, his company has discussed security in virtual environments and has concluded that the issues are similar to those of physical servers. "It comes down to, there is no difference," he said. "If you are going to do anti-virus or e-mail lockdown, you'll have to do it on the virtual server as well as on the physical server."
In many ways, securing virtual servers is little different from securing physical servers, said Patrick Lin, senior director of product management at VMware.
"At the end of the day, they are just Windows machines," Lin said. "When you turn a physical server into a virtual server, it's no more vulnerable that it was before. There are not new avenues of attack all of a sudden."
Even so, server virtualization vendors are taking steps to ensure that their technology is itself up-to-date in terms of security.
Lin said VMware Server ESX is currently certified at Common Criteria Level 2 (CCL2), a security standard, and is in the process of applying for CCL4 for its Virtual Infrastructure 3 (VI3) product suite.
Virtualization actually offers a great opportunity to do security right, said Simon Crosby, CTO of XenSource, the Palo Alto, Calif.-based virtual server vendor which is in the process of being acquired by Citrix.
First, Crosby said, the hypervisor has independent control over the virtual environment, and can see all the traffic of each guest operating system. Second, he said Intel has its Trusted Execution Technology and AMD its Presidio, both of which are extensions in their processors for implementing virtualization. "They can be used with the hypervisor to make sure only a trusted guest can be booted," he said.
Virtual machines need to be treated the same in terms of protection and management as physical servers, said Michael Berman, CTO of Catbird Networks, a Scotts Valley, Calif.-based developer of virtual security appliances.
"You can't assume virtual servers are any more secure," Berman said. "They're still affected by the same issues: spyware, viruses, patches. Even people with good security and who have deployed defense in depth in corporate environments are not extended it to their hypervisor environment."
Brandon Baker, security development engineer at Microsoft, said the two major areas related to security in virtualized environments are protection or isolation of the host environment, and how to manage and maintain the virtual machines.
On the host side, Microsoft's upcoming hypervisor-based virtualization technology, code named Viridian, will have a virtual machine monitor and provide additional security by running the hypervisor outside every instance of the operating system, including the host OS, Baker said.
Since Viridian is a part of the Windows Server 2008 operating system, any patches and updates done for the operating system also apply to Viridian, Baker said.
Viridian's first public data is expected to be released when Windows Server 2008 is released to manufacturing, with a full release planned for about 6 months later.
When Windows Server 2008 is used with Viridian, only the core functions of the operating system are installed in order to minimize the amount of updates needed and the number of potential attack points, Baker said. "So the host environment can be locked down with very little traffic," he said.
Baker said it is important to track virtual machines as they move, and especially as they are brought back from a dormant state. Viridian, he said, checks dormant virtual machines as they are brought back on-line in order to make sure that all necessary patches are done.
Tracking active and dormant virtual machines is a specialty of ConfigureSoft, a Colorado Springs, Colo.-based developer of software to ensure changes to a company's IT infrastructure do not impact any compliance issues that company is facing.
Andrew Bird, vice president of marketing at ConfigureSoft, said an increasing number of companies are seeing their personnel build virtual servers and add them to the network without ensuring they are compliant with corporate policies. Many of those virtual machines are put in a dormant stage when not in use, and when they are awoken do not have the required updates and patches.
It is also becoming common to build virtual servers for disaster recovery purposes, and then let them go dormant until required in an emergency, Bird said.
"Eventually they'll bring these servers up for, say, disaster recovery, but the servers will be out of sync with patches," he said. "ConfigureSoft senses the new server as it comes up, and corrects it before it is brought up."
Next: Security concerns grow along with virtualization
