The adoption of virtualization has skyrocketed in the past few years. Companies have found tremendous cost savings when migrating to virtual environments. There have been savings in CapEx expenditures, not to mention lowering energy bills. Most importantly, improvements within operational efficiencies by introducing business continuity, automation and meeting service level agreements. This spike in the interest level of virtualization has led to a 300% increase in the Virtualization Practice here at IDS in the past year.
Traditionally, as ease of use increases, security decreases. There is always a balancing act between security and ease of use. When organizations first began using virtualization I was immediately skeptical about how it would take off from a security perspective. There were too many questions surrounding how secure these environments would be over time or could be made over time.
Now that VMware and other big names have been running the virtualization game for some time, and virtualization has been adopted by so many different organizations, it has proved to be a solid technology and many security components have been built in and around these products. We’re just to the point now where (virtually) any hardware device can be virtualized to some extent. This is hugely important when dealing with security because we are now seeing the emergence of virtual intrusion prevention systems, firewalls and antivirus. Many of these technologies are still fairly new and really have not been truly stress tested in the field. So for all intents and purposes we hope these virtual security products will provide the same protection as their hardware counterparts.
As we in the IT field vet these virtual security appliances we also need guidance about how we can maintain compliance with the various regulatory mandates such as PCI, SOX and HIPAA.
When dealing with virtual environments, should they be treated differently than physical environments? If so, then how?
At the end of June the PCI Security Standards Council provided an update on how organizations should view their regulatory compliance as it pertains to PCI. It’s good to see this shift and it is a step towards providing clarified information about how we can continue to protect sensitive data.
The PCI DSS Virtualization Guidelines cover the various risks associated with virtualized environments as well as their recommendations for securing these environments. This document is geared toward organizations who have or are considering the use of virtualization in their cardholder data environment. While we still have a long road ahead in proving that we can provide the same amount of security for virtual environments as we do in the physical world, this document is a step in the right direction about how we might be able to accomplish it.
Photo Credit: umjanedoan