Soluton Bref: Creatng a Secure Base n a Vrtual World
Soluton Bref: Creatng a Secure Base n a Vrtual World Abstract The adopton rate of Vrtual Machnes has exploded at most organzatons, drven by the mproved cost effectveness of ncreased server utlzaton. The savngs n rack space, hardware costs, power consumpton, and many other factors are drvng ths steadly ncreasng trend. However, ths boom n logcal servers has resulted n a substantal ncrease n the number of devces connected to the network, and each needs to be ndvdually confgured, patched, and secured. Fortunately, solutons from Shavlk Technologes provde the same secure operatng base and patch management for vrtual machnes as they do for ther physcal counterparts. The Realty of Vrtualzaton In the past few years, medum- to large-szed organzatons have mplemented at least some level of vrtualzaton. Ths trend, whch leverages a sngle physcal resource such as a server to functon as multple logcal servers, s growng at an explosve rate. Research frm IDC estmates that between 2006 and 2009, vrtualzaton wll grow at a compound annual growth rate of almost 50 percent. Vrtualzaton s quckly becomng a realty at most organzatons. Ths document s provded strctly as a gude. provded or expected. Ths rapd growth n vrtualzaton s drven by a number of factors. These nclude better utlzaton of dle or avalable processng power wthn servers, reduced rack space and power consumpton, less hardware acquston and mantenance costs, easer backup, mproved hgh avalablty and dsaster recovery, and centralzed software management. Vrtual Machnes - Real Exposure Whle there are many benefts to vrtualzaton, organzatons must take care to apply approprate securty safeguards. Vrtualzaton can actually ncrease the need for securty, and system and securty admnstrators need to plan for and mplement defenses accordngly. Because each vrtual machne has ts own network address and can be scanned, hacked, nfected, and compromsed just lke a dedcated physcal devce, applyng securty to each ndvdual vrtual machne s as crtcal as securng dedcated physcal devces. Pag e 2
Soluton Bref: Creatng a Secure Base n a Vrtual World Although vrtualzaton may cause the number of physcal devces n an organzaton to be reduced, the number of logcal machnes usually ncreases. It s not uncommon to experence an enormous ncrease n the number of logcal servers. Because vrtualzaton allows new servers to be added wthout the costs of deployng new hardware, there s a strong tendency to ncrease the number of logcal servers. Rapd adopton of vrtualzaton technology results n a sgnfcant ncrease n the total number of servers that must be securely confgured and patched. Wth the ncreased number of servers to safeguard, securty and IT admnstrators need to aggressvely and contnuously montor for new devces, servers, and servces. Pror to vrtualzaton when addng a new devce meant deployng new hardware, the addton of new servers and applcatons was naturally throttled due to budget, hardware acquston, rack space, and other tme consumng actvtes. These physcal constrants created a natural process for IT operatons and securty teams to be notfed when new servers were beng added. Vrtualzaton elmnates much of ths process and structure, and as a result new servers and applcatons can appear sgnfcantly faster and easer, oftentmes wthout the coordnaton of the securty team. New vrtual servers can appear wthout authorzaton at all. Securty admnstrators must be equpped wth tools to proactvely dscover new vrtual devces as soon as they appear. Ths document s provded strctly as a gude. provded or expected. Wth the addtonal number of vrtual devces, securty admnstrators must have robust and comprehensve ways of trackng and managng the securty confguraton and patch status of each and every vrtual system. Each one needs ndvdual attenton. For example, an unpatched vrtual machne can stll be exploted, even f the host system s patched and not vulnerable. A common mstake s for IT or securty admnstrators to assume that a well-protected host nsulates the vrtual systems runnng behnd t. That s not the case. A UNIX based host, or any host for that matter, that s up to date wth all securty patches, perfectly confgured and hardened wll not protect a vrtual Mcrosoft IIS server runnng underneath. Lkewse, vrtual machnes and applances potentally carry embedded vulnerabltes and requre specal consderaton for patchng and updates. To establsh an effectve securty baselne, each and every vrtual machne needs ndvdual attenton and management. Pag e 3
Soluton Bref: Creatng a Secure Base n a Vrtual World Shavlk Securty For Your Vrtual Machnes One of the myths surroundng vrtual machnes s that the low-level nfrastructure and nterfaces that connect them to the network and management systems are subtly dfferent, and prevent many systems and applcatons from workng wth them. For example, t s commonly (but wrongly) thought that patch management systems wll not effectvely work wth vrtual machnes. Fortunately ths s not the case. Whle t s true that the system hostng the vrtual machne acts as a proxy, t s not true that ths causes problems for patch management. Today s vrtual machne host mplementatons are so well done that the proxes are capable of handlng even low level system orented tasks such as system shut-downs, re-starts, reconfgures, and system updates. Patch management, as mplemented by Shavlk Technologes, works equally well wth vrtual machnes and ther physcal counterparts. Vrtual machnes have the same vsblty to Shavlk s patch and vulnerablty management products as do dedcated machnes. Exstng and new vrtual devces are dscovered n the same way as dedcated devces. They have the same rsks and vulnerabltes, and they are detected n the same manner. Lkewse, securty baselnes are determned and establshed n the same manner. Ths document s provded strctly as a gude. provded or expected. When t comes tme to apply securty updates to vrtual machnes, admnstrators treat them just lke dedcated physcal devces. Vrtual machnes requre the same patches as dedcated devces, and the patches are tested, receved, appled, rolled back f necessary, and managed n the same way. Addtonal Dvdends from Shavlk Not only are Shavlk products compatble wth vrtual machnes, organzatons usng them wll fnd addtonal benefts that are not avalable n other patch and vulnerablty management solutons. Pag e 4
Soluton Bref: Creatng a Secure Base n a Vrtual World Agentless Approach Easest Way to Patch Vrtual Machnes Shavlk patch management does not requre agents. Ths has partcular advantages for organzatons rollng out vrtualzaton because of the shear numbers of new vrtual devces. Not only can these new devces be protected by Shavlk, patch and vulnerablty management can be done easly, from a sngle console, n a matter of mnutes. Ths s a tremendous advantage over solutons that requre agents to be nstalled on each new vrtual machne. Deployng and mantanng hundreds or thousands of agents on vrtual machnes wthn large organzatons s a tme consumng, tedous, and expensve effort. An agentless approach s less expensve to acqure, easer to deploy and mantan, and provdes mmedate protecton. Wth Shavlk s agentless approach, organzatons can rapdly accelerate ther level of securty because they can begn assessment, remedaton and generatng useful reports wthn mnutes of a new vrtual machne gong actve. There s lttle to no mpact on the data center or staff. Ths s crtcal gven the nature of contnuous operatons n large data centers. All of these benefts of an agentless approach are magnfed n a vrtual machne envronment, not only because of the rapd growth of vrtual machnes, but because they are more dynamc n nature - comng and gong at a much qucker pace than physcal, dedcated servers. Ths document s provded strctly as a gude. provded or expected. Shavlk Only Vendor Patchng Offlne Vrtual Machnes The unque advantage of usng Shavlk solutons to secure vrtual machnes s the ablty to patch ALL vrtual machnes, both onlne and offlne. As md- to large-szed organzatons have dscovered, patchng offlne machnes can be a real headache. For varous reasons, most enterprses have a sgnfcant number of vrtual mages offlne at any gven tme. Patch management systems can t patch what they can t see, so anythng that s beng servced, or offlne for any reason does not get patched. Whle there are varous technques to deal wth ths and ease the pan, t s stll panful. Everyone wants to see a report that says for a partcular crtcal vulnerablty, 100% of the organzaton s applcable machnes have been patched. Closure for each patch s greatly desred, and no securty offcers want to report to upper management that 77% of the vulnerable machnes have been patched. Untl that report says 100%, a certan amount of anxety or even nausea remans as an awful pt n the stomach of those responsble. Pag e 5
Soluton Bref: Creatng a Secure Base n a Vrtual World Shavlk Technologes has developed a way to patch all vrtual machnes, even those that are offlne. Ths ensures that offlne vrtual mages can be n a constant state of readness to be deployed. Shavlk s the only vendor capable of dong ths, and t s a huge beneft to ther customers. For example, many enterprses ntentonally have a sgnfcant number of vrtual machnes offlne at gven perods. One such usage s to ncrease overall uptme and hgh avalablty. Vrtual machnes have made t much easer for organzatons to have redundant machnes for peak processng perods, or to be used durng mantenance, or for hot standby machnes n case of a server falure. However, t s tme consumng and dffcult operatonally to brng these offlne machnes onlne just for patch management. Shavlk customers have the beneft of beng able to perform full vulnerablty management, ncludng patchng, for all of ther vrtual machnes, even those that are offlne. IT and securty staff can quckly verfy and report that 100% of the organzaton s vulnerable machnes physcal, vrtual, and offlne -- have receved a specfc crtcal patch and are protected. Snce offlne machnes can reman offlne whle they are beng patched, another plus for Shavlk customers s mproved securty. Offlne machnes don t have to be on the network and thus at rsk to the very vulnerablty they are beng patched for. Ths document s provded strctly as a gude. provded or expected. Furthermore, ths feature allows the wndow of vulnerablty to be sgnfcantly reduced. For example, some crtcal patches should be appled mmedately, but requre a system reboot. For operatonal reasons t may be dffcult for an organzaton to shut down a server to apply the patch, so they reman operatng wth the vulnerablty untl they can address t. However, wth the ablty to utlze vrtual redundant servers protected by Shavlk, the organzaton can mmedately patch an offlne standby server, and brng t onlne as the producton server. Ths gves the organzaton near mmedate protecton from the vulnerablty wthout havng to dspend servce. The prmary server, can now also be safely patched whle offlne and not vulnerable to attack. Pag e 6
Soluton Bref: Creatng a Secure Base n a Vrtual World Summary Conclusons It s clear that vrtualzaton, although a relatvely new trend, s seeng explosve adopton rates. The benefts of vrtualzaton that are drvng ths strong trend are not lmted to just operatonal savngs, but wth the rght securty nfrastructure, nclude a number of securty dvdends as well. Whle t s true that mplementng vrtualzaton wthout proper securty actually ncreases an organzaton s vulnerabltes, t s also true that when properly safeguarded wth Shavlk s agentless solutons and ther unque ablty to secure offlne vrtual servers, an organzaton can experence an mproved level of securty. Shavlk s agentless approach, and unque capablty of patchng offlne vrtual servers and machnes gves organzatons several benefts, ncludng: Proactvely engagng n a contnuous and ongong process to provde vulnerablty and patch management for vrtual machnes. Quck and automatc dscovery of new vrtual machnes, even before they come onlne. Scannng of exstng and new vrtual machnes for vulnerabltes. Report shortcomngs and, f desred, automatcally remedate them. Patch vrtual machnes whle they are offlne, and not subject to attack Ths document s provded strctly as a gude. provded or expected. Allow organzatons to respond mmedately to crtcal vulnerabltes that requre rebootng. Shavlk s powerful technologes and features for securng vrtual machnes make t possble for organzatons to experence all of the above, and many more benefts. Beng able to acheve ths wthout deployng agents makes t possble from both a cost and IT resource perspectve, to effectvely and effcently respond to the sgnfcant ncrease n the total number of logcal servers and devces caused by the mplementaton and growth of vrtual machnes. The myth that vrtual machnes can t be adequately patched s just that a myth. Wth Shavlk not only can they be effcently patched and managed, vrtual machnes can experence greater securty and advantages than ther physcal counterparts. Pag e 7