Virtualisation Security Needs More Than A Fortress Mentality

Virtualisation Security Needs More Than A Fortress Mentality
To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

Virtualisation produces impressive results, but it also requires a fundamental shift in mindset. The ‘fortress’ approach that works with older IT environments needs to shift once you’re dealing with virtualised systems.

Picture: Matija Grguric

“The typical way IT has always looked at security is by setting up moats and firewalls — it’s a fortress view,” Colin McCabe, senior manager for the platform business unit at Red Hat, told Lifehacker. “Everything which runs inside that data centre has typically been viewed as protected.”

That viewpoint has multiple problems. For one, it presumes that the same controls are being applied to virtualised environments, and that often isn’t the case. “You need to look at security at the hypervisor layer rather than just the operating system People have often just assumed that the security comes with it.”

The second issue is that it fails to recognise that problems can exist inside the fortress. “The majority of issues are with people internal to organisations, whether through accidents, through social engineering or through malice, introducing things into the environment,” McCabe said. “You can only control that to a certain degree.”

“Even when you can control what’s in your own environment — by disabling USB ports or banning browsing — you can only do that internally. As soon as you allow someone to do a VPN access from their home, you’ve effectively opened the castle gates. And when you extend that into saying I’m moving this critical piece of data into the cloud, you have no control over what’s happening in that environment at all.”