StoneBlog.stonesoft.com

The most common motivation for a virtualization project is cost saving coming from server consolidation. Like the term indicates, the server consolidation is typically managed by server administrators, who may be a separate group of people from the IT security team. This may lead into a situation that the security is not an integral part of the design.

When the security is an afterthought, the solution may become more complex than necessary. And because simplicity is one of the main security principles, the complex solution will further decrease the security by increasing possibilities for configuration mistakes. Like Gartner’s report shows, more than 99% of security breaches are caused by misconfigurations [1]. Maintaining an unnecessarily complex environment will inevitably lead into additional misconfigurations, i.e.  into additional security breaches.

Continue reading »

written by pentti - 6,531 views \\ tags: security threat, Virtualization

Typically, the virtualization starts from the most internal network segments. Later on, the technology is expanded closer to the perimeter that is facing the partners and/or the public Internet. When virtualizing the internal servers only, it is often thought that there is no need to have any additional security solutions deployed specifically for that environment. Isn’t there already a firewall in the perimeter protecting unauthorized connection attempts coming from the public networks? In addition to the Internet firewall, the organization may even have another set of firewalls to separate each organization unit. There are also multiple IPS appliances deployed all over the network to provide additional layer of protection. Furthermore, the same servers in the physical network were not segmented either, nor was there any dedicated IPS systems between the hosts, so why would we bother to do it in the virtual environment either?

Continue reading »

written by pentti - 3,784 views \\ tags: layered security, security threat, Virtualization

“Virtualization is both an opportunity and a threat,” says Patrick Lin, senior director of product management for VMWare [http://www.darkreading.com/document.asp?doc_id=117908]. Thanks to the great and visible marketing efforts, the opportunities are quite well understood and there is more and more organizations enjoying the opportunities and benefits the virtualization provides. However, only minority of those organizations knows and understands all the security threats it comes with. And even if some of the threats have been understood, they may have been accepted as such during the risk analysis phase because of not knowing how to solve them, or they have been solved with an unnecessarily complex security solution, which brings up new security threats itself.

Continue reading »

written by pentti - 2,567 views \\ tags: security threat, Virtualization