Virtualisation offers a lot of advantages but security must already be built in
- Article 25 of 33
- SC Magazine, February 2011
In an increasingly complex security world, virtualisation promises much - if you build in security from the get-go, says Rob Buckley
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
The company was looking to cut down on server sprawl, reduce the amount of new server hardware it had to buy and reduce its power costs, so chose to virtualise a significant number of its servers, says Standard's infrastructure architect, Joel King. By moving to virtualised servers running on VMware, the company was able to avoid the redeployment or purchasing of over 140 new servers.
Security "was not high on the list of concerns", according to King, in part because there were few virtualisation-aware security products available. "We had lots of DMZ networks and some separate development VLANs. We have normal firewalls, Cisco ASA firewalls, penetration testing by external companies. Anything which we didn't want to have that kind of connectivity in the physical estate, we keep separate in the virtual estate as well."
King says the company had standard security measures in place as well and had kept the same structure moving into a virtualised environment, following guidance on what needed to be kept physically separate for compliance reasons. Patch management using Microsoft tools remains the same for both physical and virtual environments. The company's technical risk and audit office can inspect inside the environments to ensure compliance with governance requirements. However, AV needed special considerations. "We had to have a good look at the times AV was running: if they all run at the same time during business hours or when the server is under load, that can put strain on the physical host."
Following the success of its server virtualisation programme, Standard Bank began looking into the potential benefits of desktop virtualisation and has now rolled out VMware View to 70 per cent of its 1,000 users. Having greater visibility of end-user machines means that, should the IT team notice any abnormal behaviour that could constitute a security threat, it can gain instant remote access to the end-user desktop to investigate and react quickly to any potential issue. Similarly, with information now stored centrally rather than on each individual PC or laptop, the risk of data loss has also been drastically reduced and recovering after any major outage is far easier to manage.
"We use it for remote working as well, which is one of the major benefits we have got from this solution," says King. "The security office decided that it didn't want people to VPN with a traditional client, so we use the Cisco ASA SSL VPN. It is just a browser-based VPN. You log in with a secure token and password and you get the View client."
A move to a server virtualisation infrastructure is now being planned, in order to increase virtualisation to about 90 per cent. King says security is already being considered. "We are looking at potentially virtualising DMZs using vShield zones. We are looking at our security products: we use Trend Micro products and we've looked at betas of products such as Deep Security. We are looking more towards an environment where we just segregate virtually, rather than keeping segregation physical." The new platform should also allow access virtualisation within both private and public clouds. "We are looking to build up into more of a self-service, provisioned environment based on virtualisation," King adds. This, of course, will bring its own security implications that King is still considering, with VMware's Cloud software providing a possible architecture.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages