Security and regulatory issues slow virtualisation drive

Concerns around security are slowing the drive to virtualisation in heavily regulated industries.

Share

Concerns around security are slowing the drive to virtualisation in heavily regulated industries.

Financial service companies in particular, which are subject to controls, such as the Payment Card Industry Data Security Standard (PCI DSS), should be cautious, according to Joshua Corman, principal security strategist at IBM's Internet Security Systems division.

"If you have a choice, I highly recommend you don't adopt virtualisation for any regulated project," said Corman, speaking at the recent Interop conference.

He said virtualisation brings new attack surfaces, operational and availability risks, and increased complexity with features such as live migration.

Live migration features that move VMs from one physical server to another open up new attack possibilities, he pointed out. Datacentre managers should be asking if their VMs are moving to less-secure servers.

For use of virtualisation in production, Corman strongly recommended Type 1 hypervisors -- bare-metal hypervisors that run directly on hardware -- over Type 2 hosted hypervisors that are often free and meant for test and development.

He pointed out the PCI DSS adds more confusion because the rules suggest each server should have only one primary function, which could be taken to mean servers shouldn't be virtualised at all if they are to conform with PCI DSS rules.

Acknowledging uncertainty over the matter, the PCI Security Standards Council expects to be issuing guidelines on virtualisation and payment-card processing by year-end.

Security managers are heeding such advice.

There's increased pressure to save costs, something virtualisation might potentially deliver, but any cost savings could evaporate if virtualisation brings heightened risks and security concerns, said Lynn Terwoerds, head of security architecture and standards for financial services firm Barclays Bank.

"I'm challenged by that," said Terwoerds, who spoke on the topic during a panel discussion at last month's RSA Conference.

In the recent effort at Barclays to understand the impact of any move to virtualisation, the "risk and audit folks" who play a role in bank technology decisions have been asking questions such as 'what new risks are you introducing or can you lower your risk profile in any way?'" Terwoerds pointed out.

She said metrics to firmly address such questions are hard to come by and in a bank environment, which must conform to many regulations for data-retention as well as the the Sarbanes-Oxley Act rules, and there's no room for a casual decision.

"We want to define in explicit detail where is our customer's data and where is it going," Terwoerds said, noting the PCI rules seem like "a cold bucket of water" on virtualisation deployment in that area.

But the larger issue is that virtualisation is not just "a technology problem" that needs to be understood but "it's how I'm managing my vendors and contracts, especially what is auditable," Terwoerds said, adding that banks tend to be cautious on that score.