ISACA guide details strategies for minimising virtualisation risks

According to ISACA, which now has more than 90,000 members worldwide, virtualisation has earned its way onto the boardroom management agenda and is being implemented by enterprises worldwide.

But, says the association, along with the many benefits of virtualisation comes considerable risks.

Ramsis Gallego, the author of the white paper and general manger with Entel IT Consulting, says that virtualisation has recently become a more common practice and enterprises are already realising cost savings and efficiencies by moving to virtualised environments.

"However, to achieve this value, enterprises must consider the potential security risks and governance considerations. Having well-documented business processes and strong audit capabilities will help ensure the best possible value", he said.

The 11-page white paper – which is available without registration to all comers to download, and not just ISACA members, Infosecurity notes – says that attacks on virtualisation infrastructure can be classified into two categories: hyperjacking and virtual machine (VM) jumping.

Hyperjacking, says the paper, is still a theoretical attack scenario, but has earned significant attention because of the major damage it can potentially cause.

There are also, the paper goes on to say, significant compliance and management challenges, as the number and types of VM can easily get out of hand.

VM sprawl, says Gallego, along with dormant VMs, make it a challenge to get accurate results from vulnerability assessments, patching/updates and auditing.

To combat these risks, ISACA recommends that users patch and harden the hypervisor and the guests it supports, as well as use physical, network and virtualisation-based separation to segment VMs and systems.

Users are also advised to use transport encryption to secure VM migration, as well as implementing virtualisation-aware management products and services.

The conclusion of the white paper – titled 'Virtualisation: Benefits and Challenges' – are that virtualisation has affected the way enterprises run their IT operations.

"While virtualisation has only recently left 'emergent technology' status and become a more common practice, enterprises have already seen benefits to moving to virtualised environments", says the paper.

"Those benefits include a lower total cost of ownership, increased efficiency, positive impacts to sustainable IT plans and increased agility", it adds.

The paper goes on to say that enterprises must also consider the potential security risks and change implications that accompany moving to a virtualised environment.

Mitigating many of these threats – and having well-documented business processes and strong audit capabilities – the paper concludes, will help ensure that enterprises generate the highest possible value from their IT environments.

What’s Hot on Infosecurity Magazine?