Is virtualization a new channel for data loss?

August 12, 2009 Sophos Press Release

IT security and control firm Sophos, today announced that it has published a new podcast exploring the data loss risks associated with virtualization.

In the podcast, James Lyne from the technology office at Sophos, is interviewed by Carole Theriault about the increasing use of virtualization and how the security measures which existed in the physical server environment are being lost in transition.

"Many organizations now have a 'virtualization first' policy and are migrating their physical infrastructure," said James Lyne, senior technologist at Sophos. "One of the outcomes of virtualization is that the hard drive becomes a file and they are often stored on network file shares which are often accessible to a large number of people. In the physical world, these critical systems would be locked down in the data centre but in chasing reduced TCO and high availability, they are now floating in poorly secured storage locations and are subject to data theft."

"By leaving data unencrypted on these virtual systems, organizations are compromising the security of sensitive and confidential data and in most cases, unaware of this threat vector."

To avoid costly data leaks and data, consider the following:

  • Review access controls on the storage infrastructure for the virtualization platform. Anyone with access to this storage can access data in the systems irrespective of controls within the virtual machine
  • Ensure that you have a policy on how to maintain segmentation in the virtual world
  • Many of these virtualization systems are designed to provide high availability, which will often involve replication across a number of geographic locations. Ensure that these other locations also comply with your security policy
  • Business procedures on virtualization infrastructure are often applied with little consideration for their security ramifications. Ensure that backup procedures are not a security loophole, e.g. moving your virtual machines to unencrypted backup tapes
  • Encrypt your sensitive virtual machines with full disk encryption - should the virtual hard drive file be exposed it will not be accessible much like an encrypted laptop found on a train.