One topic that has been widely discussed over the last few years regarding technological solutions in companies is virtualization. In fact, this technology has evolved so much it has reached a level of technical maturity that makes it attractive for any kind of company, and it is supported by the processing and storage capabilities provided by hardware solutions.
Apart from the benefits that come with virtualizing an infrastructure, there are other aspects implied – such as cost reduction – that turn it into a very popular technology among IT teams. Due to these advances in virtualization technologies, the cloud concept has acquired significant relevance, together with its virtues and dangers, as was to be expected.
Regardless of the chosen model of cloud computing services – SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service) – it is important to incorporate security management practices from the very beginning in order to avoid problems that could jeopardize business continuity.
Even though choosing an IaaS model may allow us to better adjust security as compared to an SaaS model – although using a private cloud will give us more guarantees that a public one – there are at least five aspects we should take into consideration when developing our project.
1. Adopt the paradigm shift in management
After a judicious analysis of the pros and cons of migrating to a virtualized infrastructure, it is extremely important that the team in charge of its management is aware of what these changes imply.
Even though these changes are practically transparent for the user, the people in charge of its management will have to learn about the security features so that they can handle them in an appropriate way and, in the case of the security management team, they will have to do a new risk assessment to update the control measures for the new scenario.
2. New infrastructure model; old threats
Although having a new model of infrastructure management is going to save the IT team many headaches, there are some persisting threats that cannot be taken for granted. Malicious codes and vulnerability exploits are only two examples of threats that should never be excluded from the threat landscape.
Although the servers, computers and applications may not be physically present, the update and control policies should be kept running. Even when the SaaS model is used, one must always be sure the providers guarantee these controls are followed.
3. Reformulating the access controls
Having virtualized services or infrastructure provides a high degree of flexibility regarding information access. This represents a great advantage for the business, but at the same time it requires companies to review its data access controls.
In this scenario, it is fundamental to have a two–factor authentication system. Moreover, there are also other controls, such as data encryption, which grant the company additional security layers in order to ensure that whoever accesses the data is who he/she claims to be.
4. Strict definition of management roles
Who can access the systems? Where can they access them from? What permissions should they have? Who can move or clone them? These are only some of the questions that need to be answered and should be properly implemented.
Virtualization involves considering a series of additional permissions for systems and applications, both with respect to management as well as their use by end users.
5. Log tracking to detect anomalies
The fact that there are no physical servers does not mean that the management of security logs will cease to exist. In fact, apart from monitoring all the computers within the infrastructure, virtualization brings about a new component that should also be monitored: the hypervisor.
The timely monitoring of logs about the status of servers and applications cannot be set aside, because they can provide crucial information to detect and block threats that compromise information security.
Although all the aspects mentioned above have to do with tasks that should be carried out by the joint work of the corporate IT teams and security teams, we should never forget a key aspect for security: the end user. Even though virtualizing the infrastructure should have a minimum impact on users, it is essential that they understand the benefits and risks that come with these new implementations.
In order to achieve success in the implementation of any project, we need to have a comprehensive approach to all the aspects that could have an impact on the normal development of the business. When the decision to virtualize the infrastructure is made, the security aspects cannot be relegated to a second place.
If the adequate control measures are put aside to save costs from the very beginning, we should ask ourselves what would be the impact of an incident and what value our data has for the business.