The trend toward virtualization of IT infrastructure has been primarily focused on enterprise servers, especially in data centers where the resulting efficiencies represent significant cost savings for IT organizations. Because virtualization adds layers of technology, it also necessitates changes in security management. Virtualization introduces a new level of complexity for information security teams, which are responsible for hardening virtual systems while also supporting increased density and dynamic provisioning.

The importance of security in such environments cannot be overstated. Data protection on server infrastructure has been a top IT priority for some time, because it is on servers that significant data breaches are most likely to occur. In fact, 98 percent of compromised records are exposed on servers and online applications.¹

Even as virtualization adds infrastructure layers, information security best practices remain conceptually the same. “In general, organizations should have the same security controls in place for the virtualized operating systems as they have for the same operating systems running directly on hardware,” according to a recent report from the National Institute of Standards and Technology (NIST).² The NIST report recommends that organizations secure virtual systems “based on sound security practices, such as keeping software up-to-date with security patches, using secure configuration baselines, and using host-based firewalls, antivirus software, or other appropriate mechanisms to detect and stop attacks.”³

In effect, Information Security must complete the same checklist of protections for virtual systems as for physical infrastructure. In addition, consideration should also be given to adapting best practices to any unique requirements potentially introduced by the dynamic nature of the virtual server environment.

New PCI Virtualization GuidelinesAnother factor driving secure virtualization is the increasing pressure from regulatory requirements to demonstrate effective protection of server infrastructures that house critical data and applications. A good example of how security standards are affecting virtualization efforts is a guidance paper recently published by the Payment Card Industry Security Standards Council (PCI SSC).4 Authored by a PCI special interest group consisting of more than 30 companies, including merchants, vendors, and Qualified Security Assessors (QSAs), the paper addresses the security implications of virtualization and maps them against the 12 main requirements of the PCI Data Security Standard (PCI DSS), indicating what actions should constitute best practice for each of the requirements.5

The PCI guidelines for the use of virtualization in cardholder data environments are based on the following four principles:

a. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.

b. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.

c. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.

d. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.6

Ensuring Security for Virtual Server Infrastructure

1 SymantecCorporation

Industry Brief: Virtualization Trends

NISTSecureVirtualSystemChecklist

1. Keepup-to-datewithsecuritypatches

2. Usesecureconfigurationbaselines

3. Usehost-basedfirewalls,antivirussoftware,orothermechanismstodetectandstopattacks

1 2010 Verizon Breach Investigations Report.2 KarenScarfone,MurugiahSouppaya,andPaulHoffman,“GuidetoSecurityforFullVirtualization

Technologies,”NationalInstituteofStandardsandTechnology(NIST),U.S.DepartmentofCommerce,January2011,4-1.

3 NIST,op.cit.,ES-1.4 PCISecurityStandardsCouncil,PCIDSSVirtualizationGuidelines,June2011.5 RonCondon,PCI virtualisation: With new guidelines, compliance may be harder,SearchSecurity.co.uk,

14June2011.6 PCISecurityStandardsCouncil,op.cit.

2 SymantecCorporation

The new PCI guidelines hold several important implications for organizations that handle cardholder data. First, virtualization adds a dynamic dimension to the traditional best practices commonly used in physical infrastructures. Since there is no “one-size-fits-all” approach, organizations will require adaptive solutions that can accommodate different configurations of virtual infrastructure at various points along the adoption curve. The guidelines conclude with a recommendation that all virtualization components, even those considered to be out-of-scope, be designed to meet PCI DSS security requirements, because exposure of one virtual machine (VM) on a host system could lead to the compromise of other VMs on the same host. Although they do not change the standard, the new guidelines will help organizations ensure that the standard is enforced.

Secure Virtualization and Private Cloud ComputingCloud computing is a way to provide scalable, elastic IT capabilities as services using Internet technologies. The cloud computing model enables organizations to consume software, platform, and infrastructure resources as services and avoid the licensing, consulting, and administrative costs associated with on-premise implementations. While some organizations adopt public cloud services available from cloud computing vendors on a multi-tenancy basis, many opt to develop their own private cloud services in order to reduce total cost of ownership while minimizing risks to data. Private cloud implementations generally involve virtualization and, therefore, require modern, adaptive approaches to security and compliance of virtual server infrastructures.

Cloud-based service enablement calls for granular control over the hardening of virtual systems using appropriate policy profiling. To ensure the ongoing integrity and availability of virtual servers, policies should be designed to enforce the following constraints:

• Limit cloud services to only those services required to support a given system’s function

• Limit user accounts and privilege escalations

• Control rogue behaviors such as file and configuration changes

• Constrain data mobility by monitoring data files

• Mitigate vulnerabilities due to inconsistent patch management

Only by ensuring the security of private cloud infrastructure can organizations realize the benefits in terms of cost efficiency.

Requirements for Virtualized Server SecurityIn extending protection to virtualized server infrastructures, IT Security faces a number of challenges, including management of administrator access, inbound and outbound communications, interactions between systems, and maintaining patch levels and configuration standards. To adapt to the unique variables

introduced by virtualization, policies and controls must be modernized. In implementing such modernization, the following capabilities should be considered.

Monitor system behaviors. Virtual machines should be regularly monitored to discover potential vulnerabilities. Are there services on a particular VM that should not be running? Has a VM been moved such that it now has the ability to communicate with new workloads subject to different policy requirements, like PCI audit? Can removable media be attached to the VM through a USB port to extract data or introduce malware?

Control application and system services. It is necessary to see which applications are running on VMs and ensure that only appropriate apps are available on any given VM. Controls should include monitoring, alerts, and preventing executables as appropriate.

Reduce the scope of virtual system interactions. In cases where multiple VMs coexist on a single host, new VMs may gain availability to data or applications that should be off-limits. Central visibility across heterogeneous, hybrid environments is necessary to accurately oversee behaviors and activities.

Protect file systems. Organizations should conduct policy-based monitoring of all file systems on VMs, including applications, directories, and registry keys. It is common practice for hackers to change registry keys to cover their tracks. When that happens, the protection systems should generate an alert and, if necessary, lock down the file to prevent changes.

Maintain OS integrity. Check to see if any changes have been made to an OS that do not conform with configuration or patch standards. Real-time monitoring of VMs between patch windows can mitigate vulnerabilities and prevent malware from executing.

Monitor and restrict privileged user access. Privileged users of business-critical applications on VMs should be monitored to ensure that their behavior and activities are within the scope of requisite permissions and do not in any way jeopardize security or compliance posture.

ITVirtualServerSecurityChallenges

•Managementofadministrationaccess•Inboundandoutbound

communications•Interactionsbetweensystems•Maintainingpatchlevelsand

configurationstandards

Copyright©2011SymantecCorporation.Allrightsreserved.Symantec,theSymantecLogo,theCheckmarkLogo,andInsightaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU.S.andothercountries.Othernamesmaybetrademarksoftheirrespectiveowners.07/1121202606

Security Solutions for Virtualized ServersLike mobile and cloud computing strategies, virtualization is rapidly becoming a standard dimension of enterprise IT initiatives. When it comes to security, it is important to make sure that solutions designed to protect data, people, and systems offer the same capabilities for both virtual and physical servers. The following Symantec products are successfully employed by customers today across physical and virtual server environments.

Symantec™ Critical System Protection. Critical System Protection is a host-based intrusion detection and prevention solution that allows organizations to protect business-critical servers seamlessly across heterogeneous virtual and physical environments while accelerating density goals and reducing cost. The centrally managed, policy-driven solution monitors file systems and prevents policy violations with minimum impact on server workloads and system performance. The built-in ESX Policy Pack protects the ESX console operating system and guest operating systems and applications with layered controls to limit networking of non-ESX programs and to block write access to ESX configuration and data files.

Symantec™ Control Compliance Suite. Control Compliance Suite addresses IT risk and compliance challenges by delivering greater visibility and control across virtual and physical server infrastructure. Capabilities include regulatory and technical content that is automatically mapped to policies and updated as regulations change, as well as automated system discovery and vulnerability assessments to identify noncompliant virtual and physical systems.

Symantec™ Endpoint Protection. Endpoint Protection delivers unparalleled security and proven superior performance7 in a single system optimized for both physical and virtual environments. Symantec Endpoint Protection is powered by Symantec’s exclusive Insight™ detection technology. Insight catches rapidly mutating malware threats that other approaches miss and reduces scan overhead by up to 70 percent in high-density environments.8

Symantec™ Security Information Manager. Security Information Manager enables organizations to establish central visibility to critical virtual server incidents. It offers broad log data collection across physical and virtual servers , including a purpose-built collector for ESX environments. Comprehensive, real-time incident correlation, including content from the Symantec Global Intelligence Network, transforms data from physical and virtual environments worldwide into actionable intelligence.

ConclusionIt is a well-established fact that server infrastructure represents the number one target for cybercriminals and the most likely location of data breaches. Virtualization adds new layers of complexity to server infrastructure so that ensuring security and compliance requires more granular controls and the ability to consistently enforce policies across both physical and virtual environments. Symantec can help seamlessly extend protection to virtualized servers by discovering, monitoring, and controlling behaviors and activities that may compromise the performance and availability of virtual systems. With help from Symantec, you can confidently pursue the virtualization of your most business-critical IT infrastructure.

About SymantecSymantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.

Visit our websitewww.symantec.com/virtualization

To speak with a Product Specialist in the U.S.Call toll-free 1 (800) 745 6054

To speak with a Product Specialist outside the U.S.For specific country offices and contact numbers, please visit our website.

Symantec World Headquarters350 Ellis St.

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

7 PassMarkSoftware,Enterprise Endpoint Protection Performance Benchmarks,February2011.8 TollyEnterprises,Symantec Endpoint Protection 12.1 vs. McAfee and Trend Micro, Anti-virus

Performance in VMware ESX Virtual Environments,June2011.