Securing the Virtual Data Center
A Symantec and VMware Joint White Paper
Who should read this paper
Chief information security officers, directors of IT operations, and
virtualization teams can use this document to identify security risks
they may encounter when virtualizing critical or sensitive applications
so that they can implement technologies and practices to safeguard
their organizations’ IT and information assets.
E P
AP
ER
:
AL
IZ
AT
IO
N
S
EC
U
RIT
Y
Content
Executive Summary . . . 1
Growth and challenges in virtual and cloud environments . . . 2
A new standard . . . 2
Shared risks. . . 2
New challenges . . . 2
Current solutions are inadequate . . . 3
Solutions designed for physical infrastructure . . . 3
Point solutions for virtual environments . . . 3
Outline of a general solution . . . 4
Benefits . . . 5
Symantec Server Security Solutions. . . 6
Use cases in virtual environments. . . 6
PCI compliance in a stand-alone secure server environment . . . 7
HIPAA compliance for secure Virtual Desktop Infrastructure . . . 7
Why Symantec? . . . 7
Executive Summary
The compelling economies and efficiencies of virtualization and cloud computing are transforming enterprise IT. But the virtual transformation introduces new security risks, and complicates security and compliance management beyond the capabilities of either solutions designed for slow-moving physical environments or point solutions focused on individual vulnerabilities in the virtual world. Virtual environments need protection from top to bottom—spanning hypervisors, management consoles, and physical hosts, not just endpoints—and end to end, across these sprawling, dynamic new infrastructures. This paper outlines the challenges of securing virtual environments, and introduces a comprehensive approach to meet them, including:
• Virtualization-aware technologies to secure virtual and physical infrastructure and endpoints without compromising performance • Hardening of virtual servers and their physical hosts against external and internal threats
• Security-management technologies and processes to achieve and document compliance with the most demanding regulatory requirements • Tight integration with leading virtualization platforms, including compliance and incident response templates for efficient, confident
implementation
Building on its advanced endpoint and server security technologies, Symantec™ has introduced a comprehensive solution for safeguarding dynamic virtual and physical infrastructures from single data centers out to the most complex mixed private-public cloud environments. Field-proven with multinational enterprises in sensitive industries, Symantec Critical System Protection and Symantec Endpoint Protection merit careful consideration by any organization that must safeguard critical applications in growing virtual and cloud environments.
Growth and challenges in virtual and cloud environments
A new s
A new standard
tandard
Organizations virtualize IT workloads to consolidate them on reduced or outsourced physical infrastructure, so they can: • Reduce equipment costs and expenses for power, cooling, and facilities
• Streamline IT operations and simplify management • Arrange for effective disaster recovery of critical workloads
The economics and efficiencies are compelling, and it’s no surprise that x86-based virtual and cloud infrastructure is becoming the default platform for utility, highly volatile, and even mission-critical IT workloads. By mid-2011, 68% of IT workloads had already been virtualized.1 With virtualization the number-one enterprise and small- and midsize-business spending priority2, this trend is likely to continue.
But virtualization adds complexity to security and compliance processes that evolved in less-dynamic physical environments. Left
unaddressed, this complexity exposes organizations to security and compliance risks, and may even undercut the economy and efficiency of virtualization itself.
Shared risks
Shared risks
Of course, many security risks are shared across physical and virtual workloads: vulnerabilities in OS instances and applications, for example, can be exploited and must be patched. Malware and hacker attacks demand vigilance and vigorous defenses. And regulations and standards such as the Payment-Card Industry Data Security Standards (PCI-DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and European Union Data Protection Directive (EU Directive 95/46/EC) demand compliance in any computing environment, physical or virtual.
New challenges
New challenges
But virtual and cloud environments present challenges for security and compliance above and beyond those found in physical environments. First, virtual environments add new elements. These include hypervisors, management servers, and utilities that need to be patched and protected to avoid exposing the entire virtual infrastructure to risks. As virtualization solution providers lock down hypervisor kernels and move service consoles and management functions outside the hypervisor, securing the management infrastructure, including all clients that access management application programming interfaces (APIs) becomes even more important. And because virtual machines (VMs) are dynamic by design, workloads with high compliance requirements may be moved in an instant to physical infrastructure shared with workloads that require much lower trust levels or compliance standards.
Second, training and compliance issues lurk behind these technical challenges. IT staff, solution resellers, and consultants trained on physical infrastructure may not stay current with the tools and practices needed to secure fast-changing virtual and cloud environments. And the separation of management responsibilities typical in complex virtual environments—Information Security from Configuration
Management, for example—may deprive the virtual infrastructure planning and deployment team of security expertise it badly needs.
1-John Burke, Principal Research Analyst, Nemertes Research. Cited in Joan Goodchild, “Virtualized environments painfully insecure”, CSO online. (Framingham, MA: IDG Communications CXO Media, June 7, 2011).
http://www.csoonline.com/article/683702/virtualized-environments-painfully-insecure-2-Enterprise Strategy Group. Cited in Todd Zambrovitz, “2012 in virtualization – fixing the breaking points”, VMblog.com. (Palo Alto, CA: VMware, Inc. December 8, 2011). http://vmblog.com/archive/2011/12/08/symantec-2012-in-virtualization-fixing-the-breaking-points.aspx
Evolving patterns of attack
For years, the Symantec Internet Security Threat Report3has documented the rise of financially-and politically-motivated attacks targeting specific companies and other organizations. The most recent report shows no relief in sight: • High-profile attacks use
sophisticated malware and hacking protocols to compromise and expose data at selected organizations • Social networking information online helps hackers create “spear-phishing” attacks that fool even experienced users at security-conscious firms
• Hide-and-seek techniques use zero-day vulnerabilities and rootkits that open back doors to stay hidden for weeks or months after an initial breach
• Attack kits put advanced capabilities in the hands of less-capable hackers
Today’s malware coders and hackers include organized criminals, “hactivists”, state actors, and insiders who target enterprises, small businesses, end users, and
governments for money, proprietary information, and to satisfy
grievances, real or imagined. And although outsiders launch the most attacks, it’s the insiders do the most financial and reputational damage4. Finally, workload consolidation raises the value of IT targets even as it complicates their
security. It is true that hypervisor platforms and management servers offer hackers and malware writers a much smaller body of code to exploit, making direct attacks more difficult than exploits of vulnerabilities in the millions of lines of OS and application code they run or supervise. But payoffs for successful attacks on virtual infrastructure are much higher, since they can expose every OS instance and applications running on or under the compromised platform. Throughout the history of IT, bad actors have followed the money—and today’s money is riding on virtual and cloud infrastructure—see sidebar, “Evolving patterns of attack.”
Current solutions are inadequate
Neither security solutions designed for physical environments nor patchwork point solutions for virtual environments can deliver the comprehensive, deep protection organizations need when critical workloads run in virtual and cloud environments.
Solutions designed f
Solutions designed for ph
or physical infras
ysical infrastructure
tructure
Solutions designed to protect critical servers in physical environments include both commercial solutions adapted from physical into virtual domains, and an array of customized scripts and ad hoc tools designed for—and often by—security administrators trying to provide some degree of protection for applications and data in fast-changing virtual environments.
But these solutions are seldom virtualization-aware. Based on assumptions that are reasonable for physical environments, they fall short in virtual and cloud environments, for example: • Scope—Virtualization adds a hypervisor layer, management server, and other
virtualization-specific elements to the server-OS-middleware-application stacks typical of physical
environments. This can introduce vulnerabilities in drivers, plug-ins, third-party switch code, or even the hypervisors themselves.
• Range—Even solutions that protect VM infrastructure as well as endpoints and applications may leave management, backup, and other servers unprotected, especially from attacks by informed insiders.
• Agility—All environments, physical and virtual, need constant patch management to protect applications running in them. But tools and processes designed for physical environments can’t keep up with virtual environments where inter-VM communications may be difficult to monitor and—in no time at all—a running workload may be moved to a “soft”, unprotected physical server, or a Guest OS rolled back to an unpatched, insecure state.
P
Point solutions f
oint solutions for virtual en
or virtual environments
vironments
Solutions designed to fill these gaps in security coverage, even when designed specifically for virtual environments, introduce their own problems. Adding a new class of solutions inevitably
3-Internet Security Threat Report, Volume 16: Trends for 2010. (Mountain View, CA: Symantec Corporation. April, 2011). http://www.symantec.com/business/threatreport/
4-Bill Brenner, Senior Editor. “Report: Insider attacks expensive, but there’s a silver lining”, CSO online. (Framingham, MA: IDG Communications CXO Media, February 3, 2011). http://www.csoonline.com/article/661719/report-insider-attacks-expensive-but-there-s-a-silver-lining
adds complexity, and may spread responsibility for security management across multiple teams. And because these point solutions are engineered independently from legacy security offerings, coverage—by management consoles, for example—may be misaligned, creating gaps that persistent hackers may exploit, or areas of overlap that will need to be coordinated across solutions or teams.
Complexity and coverage issues are particularly risky when the environment changes, requiring realignment of multiple tools and teams to accommodate new or changed security requirements. Because virtual environments are so dynamic, a patchwork of security solutions quickly grows into a management headache and source of IT risk.
Outline of a general solution
A solution for protecting critical workloads in virtual and cloud environments first needs to cover all layers of the virtual ecosystem, without gaps, overlapping responsibilities, or blind spots. Coverage must include:
• Endpoint protection for OS instances and applications running on VMs • Safeguards for hypervisors running Guest VMs on physical hosts
• Protection for management consoles and availability, backup, and other tools that support operations in the virtual environment • Hardening and access controls for the physical infrastructure that supports the virtual environment
Figure 1. Security risks are present at every level of dynamic virtual environments.
Security and regulatory compliance require enterprise-grade protection for servers that handle critical applications and sensitive data. This includes protecting fixed and mobile network endpoints, which hackers can exploit for access. But endpoint protection alone is not enough: mission-critical applications and data sets require higher standards for:
• Protection for systems based on the value of the intellectual property, financial, and sensitive consumer information they contain • Integrity, with server access and configuration changes recorded to provide a clear audit trail, for documented compliance with relevant
standards and regulations
• Availability and operational efficiency, so that business-critical applications and data are not only protected, but continuously and easily available for authorized business use
Figure 2. Effective security requires protection of management solutions and host servers as well as Guest VMs.
Signature-based technology—IT security’s "backstop"—provides only incomplete protection. First, it is backward-looking and therefore ineffective against zero-day malware and advanced persistent threats that target individual organizations. Second, network, storage, and processor requirements of signature-based defenses—multiplied across endpoints, servers, and consoles—consume exactly the resources most needed for performance and service quality. In these demanding environments, efficient protection is as important as effective protection—and both require applying multiple security technologies while avoiding resource-wasting duplication.
In addition to efficient, comprehensive security technologies, a protection solution should support, organize, and accelerate proven security practices, overcoming the new challenges created when separate teams manage different aspects of complex virtual environments. This means early involvement of security teams in virtualization projects, using virtualization-aware compliance frameworks to keep security planning up to speed with deployment schedules. And security processes should be formalized and documented, to avoid cutting corners even when projects are moving fast, using workflow support that operates effectively across multiple teams, and produces clear records with an audit trail to document compliance.
Benefits
The most important advantage of this kind of protection is a comprehensive security posture aligned to the requirements of individual server workloads at every layer of the environments: endpoints, critical systems, specialized servers, and physical infrastructure. End-to-end coverage secures hypervisor and management layers of virtual environments as well as the OS and application on every VM, working seamlessly across physical, virtual, and cloud infrastructure, and avoiding patchwork solutions prone to gaps and duplication. The approach enforces tight controls on mission-critical or sensitive workloads without compromising the accessibility, availability, or performance of servers or endpoints. It hardens IT assets as required by policies and regulations, and logs, reports, and documents compliance across both physical and virtual environments for worry-free audits.
Finally, since the point of virtualization is to achieve economies by pooling processor, I/O, and storage resources while maintaining quality of service, any security solution that adds heavy loads to virtual machines is a move in the wrong direction. An effective solution minimizes system overheads such as time-consuming signature updates and processor-intensive scans, especially on user-facing Guest VMs where I/O congestion and processor loads compromise the end-user experience.
SSymantec Critical Symantec Critical Sysystem Protem Protectiontection SSymantec Endpoint Proymantec Endpoint Protectiontection Completely protect VMware®environments without impacting performance:
• Analyze virtual system configurations to identify vulnerabilities • Detect changes to files of virtualized compliance-controlled assets • Identify malicious attacks to Windows and non-Windows based guests,
ESX/ESXi hypervisors and vCenter without using signatures • Limit the behavior of VM workloads and use of removable media • Harden critical systems against zero-day, known and unknown threats • Protect against web-based threats, restricting port access and network
communications
• Restrict the behavior of supported Guest OS
• Reduce the spread of malware by hardening VMware vCenter
MaximizeVM density and performance without sacrificing security:
• Manage security of VMware virtual machines and physical machines from the same console • Create a standard, safe, white-list VMware image • Deduplicate scanning of identical files across multiple
VMware machines
• Check that offline VMware machines are safe before bringing online
• Ensure that multiple VMware machines do not all perform security processing at the same time
Symantec Server Security Solutions
Symantec server security solutions are designed and tightly integrated to help organizations maintain the highest levels of security and compliance as they rapidly expand their virtual and cloud environments. The solutions combine:
• Comprehensive coverage using signature-based anti-virus and anti-spyware, non-signature-based reputation and behavior protection technologies, plus firewall, application, and device controls
• Intrusion detection providing protection against custom crafted malware and sophisticated penetration techniques
• Host intrusion prevention applying policy-based non-signature protection to manage user activity, access to system resources, and restrict application behavior using Least-Priviledge Application Control (LPAC)
• Granular File Integrity Monitoring identifies changes to files that reside on compliance controlled assets
• Configuration Monitoring tracks files and registry settings of host systems to flag changes and vulnerabilities in real time
• Centralized Management simplifies administration of heterogeneous systems, providing a single-console, real-time view of events and graphical reports
Symantec Server Security Solutions
The combined Symantec solution has been thoroughly tested and optimized for virtual environments. Systematic elimination of duplicate and resource-intensive operations minimizes performance-reducing network, storage, and processor constraints, so service levels can be maintained at higher VM-to-host density.
Use cases in virtual environments
These two use cases, based on Symantec customer implementations, demonstrate the value of Symantec Server Security Solutions in mission-critical applications, and the added value of integrating these solutions for top-to-bottom security in highly virtualized environments.
PCI compliance in a s
PCI compliance in a stand-alone secure ser
tand-alone secure server en
ver environment
vironment
A financial-services firm needed to demonstrate compliance with PCI DSS in a large stand-alone virtual server environment running SAP® applications. They used Symantec Critical System Protection to secure the OS host layer, restrict inbound and outbound traffic to compliance control servers, and monitor file integrity. The solution also provided intrusion detection and prevention, protection against malicious file execution, and monitoring of user access to system components, with blocking of unauthorized access.
HIP
HIPAAA compliance f
A compliance for secure Virtual Desktop Infras
or secure Virtual Desktop Infrastructure
tructure
A healthcare provider needed to secure its new VMware Virtual Desktop Infrastructure (VDI) to comply with HIPAA protections for
confidential patient information. They used Symantec Critical System Protection to secure the OS host, ensuring that execution was limited to approved processes, and Symantec Endpoint Protection to secure each VDI image. High performance was maintained through the Shared Insight Cache, which eliminates scanning of duplicate files on multiple VMs, reducing the performance impact of the security solution up to 70%.
Why Symantec?
Symantec’s history, experience, and investment program reflect the company’s intent focus on security, from individual endpoints through physical servers running mission-critical workloads, to the most extensive and complex virtual and public and private cloud
environments. Symantec’s deep resources in threat prevention and analysis keep the company at the forefront of the IT security industry, alert to the latest developments in malicious software and attack methodologies and prepared to offer its customers up-to-date, effective protection.
Conclusion
Virtual environments are growing in size and complexity, and taking on mission-critical tasks that provide attractive targets for thieves, hackers, and malicious insiders. Responsible organizations are not just securing the endpoints of their growing virtual infrastructures, but taking care to protect the physical and virtual servers on which these infrastructures rest, along with the management and other utilities that support them.
Solutions designed to meet the demands of slow-moving physical infrastructures lack awareness of the unique security requirements of these new virtual environments, protect them incompletely, and compromise their productivity for business uses. Patchworks of point solutions introduce gaps, duplication of responsibilities, and can add new risks.
Symantec security solutions offer end-to-end and top-to-bottom security that is comprehensive, proven effective in demanding scenarios, and designed to operate with minimum performance impact on the systems and networks it protects.
For an analysis of how Symantec Critical System Protection and Symantec Endpoint Protection can help meet your organization’s security and compliance requirements, please contact Symantec at +1 (650) 527 8000 in the US, or by visiting our website atwww.symantec.com/ virtualization-security.
About Symantec
Symantec is a global leader in providing security, storage, and systems
management solutions to help consumers and organizations secure and
manage their information-driven world. Our software and services protect
against more risks at more points, more completely and efficiently, enabling
confidence wherever information is used or stored. Headquartered in
Mountain View, Calif., Symantec has operations in 40 countries. More
information is available at www.symantec.com.
About VMware
VMware delivers virtualization and cloud infrastructure solutions that
enable IT organizations to energize businesses of all sizes. With the
industry-leading virtualization platform—VMware vSphere®—customers
rely on VMware to reduce capital and operating expenses, improve agility,
ensure business continuity, strengthen security, and go green. With 2010
revenues of $2.9 billion, more than 250,000 customers, and 25,000
partners, VMware is the leader in virtualization, which consistently ranks
as a top priority among CIOs. VMware, headquartered in Silicon Valley with
offices throughout the world, can be found online at www.vmware.com.
Symantec Corporation
World Headquarters
350 Ellis St.
Mountain View, CA 94043 USA
+1 (650) 527 8000
+1 (800) 721 3934
www.symantec.com
VMware, Inc.
World Headquarters
3401 Hillview Ave.
Palo Alto, CA 94304 USA
Tel: +1 (877) 486 9273
Fax: +1 (650) 427 5001
www.vmware.com
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VMware and vSphere are registered trademarks or trademarks of VMware, Inc., in the United States and/or other jurisdictions. Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Other names may be trademarks of their respective owners.
