controlling the risks and costs surrounding dormant vms

Transcription

1 Secure Dormant vms Meet Compliance Reduce Costs Simplify it infrastructure controlling the risks and costs surrounding dormant vms Whitepaper

2 Table of Contents Executive Summary...pg 1 Introduction...pg 2 Virtual Machine Vulnerabilities...pg 2 4 Compliance and a Virtual Environment...pg 4 5 Additional Challenges with Virtual Machines...pg 5-6 Protecting your Virtual Infrastructure While Reducing Costs...pg 6 7 Business Benefits of PKWARE vzip...pg 8 9 Success Story...pg 9

3 Executive Summary Most enterprises today are adopting virtualization strategies. Virtual Machines (VMs) that are powered down (dormant) are more vulnerable and leave sensitive data exposed, resulting in security and compliance risks. By definition, virtualization multiplies the amount of data across several non-physical server instances. This in turn, multiplies the inherent costs of storing those VMs. Organizations are challenged with securing virtual environments in attempt to avoid the costs of data breaches and non-compliance. Addressing security along with increased virtual storage costs is the reason PKWARE developed vzip. vzip combines industry-leading data security and ZIP compression with the VMware vsphere interface. PKWARE enterprise-grade security protects dormant VMs from unauthorized access and compromise. Optimized ZIP compression reduces the amount of storage required by a dormant VM image by as much as 80%. PKWARE vzip encrypts and compresses virtual machines prior to them being archived; enhancing security, adhering to compliance regulations, lowering storage costs, and decreasing transfer times. 1.

4 Introduction As the pressure to control IT infrastructure costs continues, the trend toward virtualization remains at the forefront of every organization s IT environment. Leading analysts agree that virtualization can be an extremely effective strategy to better manage physical data centers and their increasing costs around storage, real estate, energy, hardware and software. Data center virtualization consolidates physical servers into groups of virtual resources. These VMs are then spread across multiple hosts, often times in the Cloud, according to resource requirements. To even further this efficiency, unused and underperforming VMs are decommissioned or archived on a regular basis. VMs that are not active and/or powered down are referred to as dormant VMs. Virtualization enhances flexibility and agility by detaching workloads and data from the functional side of physical infrastructure. Gartner A recent PKWARE survey of 940 enterprises found that the majority of virtualized environments are not secured properly. Sensitive data that is transferred to an unprotected VM can be exposed to users with access to the shared server. Any data stored in dormant VMs lacks protection when the operating system is not active or properly patched. Though dormant, the inactive VMs represent a viable security threat and require the appropriate security controls to mitigate risk and avoid fines. The ease in which virtual machines can be replicated is indeed one of the greatest advantages. However, with this comes the likelihood of uncontrolled sprawl. Despite the best intentions of creating a back-up, or a copy during testing, these efforts often lead to a massive number of dormant VM files collecting when they aren t deleted. This accumulation of VMs consumes storage space at an exponential rate, resulting in increased costs. VIRTUAL MACHINE VULNERABILITIES Virtual infrastructures are subject to more vulnerabilities than their physical counterparts. Dormant VMs can easily be overlooked, left unprotected and 2.

5 VIRTUAL MACHINE VULNERABILITIES cont... inadvertently left out of security procedures. According to Wendy Nather, Research Director, Enterprise Security Practice, 451 Research, two critical operations are necessary to secure dormant VMs: access control and integrity verification. Access control restricts access to the dormant VMs only to those who are trusted, and integrity verification ensures that the secured VMs have not been tampered with since they were secured. With more than half of all data center workloads now virtualized, enterprises need defined virtualization security processes, according to Neil MacDonald, Vice President, VP and Gartner Fellow Emeritus. Dormant virtual machines pose a more significant security risk than their physical counterparts. Stealing a VM becomes as simple as stealing a file. VMs, like files, should be encrypted to protect their contents and be protected from tampering. Among other consequences, the dormant VM will likely not be updated with the latest security patches. Now the system, including the sensitive data, is vulnerable to attack. It is also possible to find dormant VMs with out-of-date access polices, and completely out of the loop for security and monitoring functions, making them an ideal target for hackers to use as a virtual door into the system. As the Crisis virus demonstrated in the summer of 2012, a dormant VM may be compromised and serve as an entry point into the entire virtual system when the VM is brought back online. Lastly, any exposure could easily result in compromised data across an entire virtual environment since virtual instances are often replicated across multiple systems. Wendy Nather from 451 Research concurs and adds that, In traditional computing environments, a system could only be attacked while running, but virtual machines don t necessarily have to be running to be compromised. A dormant virtual machine could present the same liability as if it were running. Thus to fully protect a dormant virtual machine, one must control the access to the VM and verify that the VM is completely unchanged and intact since it was stored. A thorough risk assessment should examine both the access control and 3.

6 VIRTUAL MACHINE VULNERABILITIES cont... the authentication processes of the virtualized environment in order to provide adequate data protection. Benefits aside, it is clear that the additional layers of technology bring additional complexity that may require more security controls and intricate policy management to ensure data is protected in every instance. It s important to realize that these security risks exist while a VM is in motion and while being stored or archived in physical and cloud locations. Any breach has the potential to bring about extensive costs, negative publicity, damage to the brand, and can ultimately decrease company valuations. COMPLIANCE AND A VIRTUAL ENVIRONMENT Regulatory standards require that information is secured regardless of where it resides. The protection of sensitive data is paramount in physical, virtual and cloud infrastructures, both while data is at rest and in motion. Virtual machines must meet all compliance requirements, virtual does not equate to leniency; it cannot be insecure or simply deleted. Failure to adhere can present significant fines and penalties. PCI DSS Virtualization Guidelines Dormant VMs house stored data sets that could contain sensitive information and virtual device configuration details. The Payment Card Industry Standards Council recognizes that an individual with access to a dormant VM could copy and activate it in another location, or he/she could scan the dormant files for payment card data and other sensitive information. To ensure protection, the mandate requires all components within the virtual environment be identified and considered in scope for a PCI DSS review. Furthermore, the governing group has outlined specific measures to address dormant VMs and ensure compliance. The implementation of a virtualized environment must meet the intent of all PCI DSS requirements, such that the virtualized systems can effectively be regarded as separate hardware. PCI Security Standards Council 4.

7 COMPLIANCE AND A VIRTUAL ENVIRONMENT cont... Highlights include: Access should be restricted, monitored, and carefully controlled. Inactive VMs that contain payment card data need to be treated with the same level of sensitivity and have the same safeguards as any other cardholder data store. Backups of VMs, active VMs, and inactive VMs should always be protected and securely deleted or secure-wiped when the data is no longer needed. ADDITIONAL CHALLENGES WITH INACTIVE VIRTUAL MACHINES The ease of provisioning has quickly led to what is commonly referred to as sprawl. Today, deployment of VMs can happen so fast that the timeframe for which the VM is actually needed is often overlooked. Once a VMs intended purpose is completed, it sits orphaned and idle, but not nearly as idle as one might think. The VM is still consuming disk space and memory. It adds to the complexity of data protection processes, consumes back-up resources and can impact the performance of other VMs sharing the same server and drawing on the same resources. The multiplier effect on data size can spiral out of control as the number of VMs increase with processes and data replicated across each one. Multiplied data requires more storage resulting in increased storage costs. The rapid proliferation of VMs has yielded a large number of dormant VMs, adding little value, if any, to the overall virtualization strategy. Growing IT Costs The continued proliferation of data forces enterprises to re-examine their storage strategies. The explosive growth of VMs adds up to ever increasing storage needs and costs. For example, storage infrastructure costs, fully loaded can amount to 5.

8 ADDITIONAL CHALLENGES WITH INACTIVE VIRTUAL MACHINEs cont... more than $8K per year for every TB of storage. Data centers run $10 $12K per square foot per year. Capacity is fast becoming an issue for data centers reaching their limit for physical storage. Increased IT Complexity Such a complex IT infrastructure can also increase the chance of corrupting a VM during archival. Manual selections during the process can often lead to oversights and a lapse in the adherence to standards. Costs associated with employee training to ensure mistakes are avoided as well as the time and expense to correct problematic archiving must be considered. File transfers can also become unruly as the huge amounts of information must be managed and tracked. PROTECTING YOUR VIRTUAL INFRASTRUCTURE WHILE REDUCING COSTS A comprehensive data security strategy can effectively manage the threat of a data breach. An easy way to ensure that sensitive data is not exposed in the event of a system breach, and that malware cannot corrupt the VMs, is to encrypt all dormant VMs. Strong encryption should be used to secure dormant VMs, for example, X.509 and/or digital certificates can protect from unauthorized access. Avoiding a breach or any exposure of data prevents lost revenue, time and money to repair your brand and worst case, a decrease in company valuation. Reducing IT Costs Effective virtual infrastructure storage strategies can help companies realize significant cost savings with almost immediate return. Storage requirements can be reduced, therefore storage costs reduced, if the size of dormant VM images is reduced. This translates to Cloud savings as well, as decreasing the VM size with compression prior to sending the it to the Cloud requires less space. With the reduction in size, less bandwidth is required to transmit. Less storage uptake is required and smaller transmissions means less chance for a failure and lost time. We continue to see an increase in the costs to businesses suffering a data breach. Regulators are cracking down to ensure organizations implement required data security controls or face harsher penalties Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute 6.

9 PROTECTING YOUR VIRTUAL INFRASTRUCTURE WHILE REDUCING COSTS cont... Automated and scheduled archiving without the need for manual intervention may reduce training costs. Without manual intervention, costs associated with mistakes and user errors are also minimized. Reducing Complexity The IT infrastructure can be simplified despite the added requirements and processes around virtualization. Again, the need to remember settings, time windows and determine locations for VMs can be simplified by automating the archival process to apply a profile-based policy instead of requiring manual selections. By simplifying the archiving process, less training/training expenses are needed for employees. The architecture can also be simplified and training needs reduced, if administrators access the system directly through a centralized control system. Centralized management can eliminate the need for additional guest software or configuration by allowing the system to operate directly on the host system. Lastly, the process to enforce policies designed to minimize the corruption of VMs can be simplified if the system automatically detected the running state of the VM prior to archival. This can possibly eliminate the need for VM recovery efforts as well. Achieving Compliance Securing and archiving VM images in compliance with regulations will reduce potential non-compliance fines and penalties. Utilizing X.509 and digital certificates with strong encryption will secure data when archiving dormant VMs. The risk of noncompliance can also be reduced if the system automatically applies a profile-based policy instead of requiring manual selections when archiving VMware virtual machines. This can reduce the number of mistakes made. Compliance costs could be further reduced by simplifying and centralizing management of the virtual infrastructure. By eliminating a layer of complexity, the system could operate directly with the host system so guest systems require no additional software or configuration. 7.

10 CAPITALIZING ON VIRTUALIZATION STRATEGIES WITH PKWARE vzip PKWARE developed vzip in response to the growing adoption of virtualization and the potentially costly challenges that organizations must navigate to be successful. vzip is the only cost-effective application that offers a convenient way to compress and encrypt dormant VMs within the workflow that administrators use to manage a virtual infrastructure. vzip provides security for VMs that are infrequently used, unused or require archiving. With its industry standard ZIP compression capabilities, vzip reduces the amount of storage required for a VM image by up to 80%. This dramatically cuts transmission times of VMs to another storage medium or host and defers the need for additional bandwidth. One of the best security solutions for cloud and virtualized environments is data-centric, file-level encryption that is portable across all computing platforms and operating systems, and works within a private, public or hybrid cloud. Diana Kelley, SecurityCurve As a result, enterprises can impact the bottom line by lowering overall IT costs that span storage, bandwidth, and training for a virtual infrastructure, as well as reduce the potential non-compliance and breach costs associated protecting sensitive data. Powerful Protection to Mitigate Risk PKWARE vzip renders dormant VMs unusable to anyone that does not have the key to decrypt them. And, it protects data even when the VM operating system is not active or not properly patched. vzip is designed for consistent encryption in any private or public Cloud environment. Assured Compliance to Avoid Fines Persistent file level security protects the most sensitive information in dormant Virtual Machines-- and addresses regulations such as PCI, HIPAA/HITECH Act, and the EU Privacy Act. Industry Standard Compression to Reduce Costs vzip protects against the costs of VM sprawl by reducing VM file size by up to 80%, consequently reducing storage needs and transmission times. 8.

11 CAPITALIZING ON VIRTUALIZATION STRATEGIES WITH PKWARE vzip cont... VMware Integration vzip is built using the VMware plug in integration technology. It integrates tightly with the VMware management infrastructure, reducing the complexity of managing security within virtual environments. vzip fits into the vcenter workflow to secure and compress dormant VMs so they can be moved or copied more quickly and/or stored in the Cloud. These encrypted VMs are fully protected and cannot be accessed without the right credentials. vzip supports VMware vcenter v5.0/5.1 for Windows. SUCCESS STORY Recent PKWARE research revealed that unsecured, dormant virtual machines are causing problems for enterprises around the world. One such company, a global retailer, recently virtualized their entire IT infrastructure. The company realized it has an excess of stale Virtual Machines. Due to regulations, the company is required to keep these VMs for seven years. Some of the VMs contain sensitive data, but the retailer can t identify which ones. They are putting themselves at risk of non-compliance or worse yet, a security breach. In addition, storage infrastructure and data center space costs are on the rise and the proliferation of dormant VMs is driving up their monthly IT spending. The retailer using vzip is compressing their VMs as much as 80% prior to them being archived or copied, thereby dramatically reducing storage and transmission costs. At the same time, vzip allows them to secure dormant VMs using strong encryption, making it impossible to gain access without the right credentials and minimizing the risk of a security breach while maintaining compliance with PCI regulations. 9.

12 Sources Virtualization Special Interest Group, PCI Security Standards Council. (2011). PCI Data Security Standard (pci dss) 2.0. Information supplement: pci dss virtualization guidelines. Retrieved from documents/virtualization_infosupp_v2.pdf Gartner. (2013). Virtualization. Retrieved from IDC. (2010, December 6) Worldwide market for enterprise server virtualization to reach $19.3 Billion by 2014, according to IDC [Press Release]. Retrieved from jsp?containerid=prus SecurityCurve. (2011). How data-centric protection increases security in cloud computing and virtualization [Whitepaper]. Retreived from inthecloud.pdf Symantic. (2011, March 8). Ponemon study indicates organizational data breach costs hit $7.2 Million and show no sign of leveling off [Press Release]. Retreived from jsp?prid= _01&om_ext_cid=biz_socmed_twitter_facebook PKWARE. (2013, January). The state of virtualization security today: PKWARE virtualization security study [Research Report]. Copyright 2013 PKWARE, Inc. All rights reserved. PKWARE, the PKWARE Logo, SecureZIP and PKZIP are registered trademarks of PKWARE, Inc. Trademarks of other companies mentioned in the document appear for identification purposes only and are the property of their respective companies