Securing the Virtual World for Real World Business Returns

More and more, organizations are evolving to a new virtual computing paradigm, but security programs and standards are lagging behind. Few organizations have a separate virtualization cyber security strategy and for the most part are focused on doing what has been done all along. This presents a risk because while the key security risks may be the same, an attack in a virtual environment can result in a larger impact. In the end, what matters is how things are managed when bad things happen. Because incident response is what will be remembered, security professionals should strive for fewer incidents and protect what matters rather than trying to prevent everything.

Recommendations for security the virtual world include:

• Have a gold standard and use that to implement the security posture across the entire environment.
• Understand what is important to the organization, prioritize the assets and focus on controls around those assets.
• Develop a strategy that focuses on the basics, particularly around asset management.
• Lock down the environment as much as possible, leveraging layered security controls.
• Develop an incident response plan that takes virtual elements into account.
• Think about the data centers as being separate from the desktop and having different strategies and approaches for each.
• Make sure the users are brought along in the process.
• Have a strong focus and discipline around change management and control items being introduced into the environment.
• Take your vertical industry into account. Regulations such as those in the financial services industry may make it easier to mandate controls whereas those in education may face potential politics because of different objectives and agendas.