12 Aug 2009
Is virtualization a new channel for data loss?
Senior technologist advises organizations to encrypt data in virtual infrastructure
IT security and control firm Sophos, today announced that it has
published a new podcast exploring the data loss risks associated
with virtualization.
In the podcast, James Lyne from the technology office at Sophos,
is interviewed by Carole Theriault about the increasing use of
virtualization and how the security measures which existed in the
physical server environment are being lost in transition.
"Many organizations now have a 'virtualization first' policy and
are migrating their physical infrastructure," said James Lyne,
senior technologist at Sophos. "One of the outcomes of
virtualization is that the hard drive becomes a file and they are
often stored on network file shares which are often accessible to a
large number of people. In the physical world, these critical
systems would be locked down in the data centre but in chasing
reduced TCO and high availability, they are now floating in poorly
secured storage locations and are subject to data theft."
"By leaving data unencrypted on these virtual systems,
organizations are compromising the security of sensitive and
confidential data and in most cases, unaware of this threat
vector."
To avoid costly data leaks and data, consider the following:
- Review access controls on the storage infrastructure for the
virtualization platform. Anyone with access to this storage can
access data in the systems irrespective of controls within the
virtual machine
- Ensure that you have a policy on how to maintain segmentation
in the virtual world
- Many of these virtualization systems are designed to provide
high availability, which will often involve replication across a
number of geographic locations. Ensure that these other locations
also comply with your security policy
- Business procedures on virtualization infrastructure are often
applied with little consideration for their security ramifications.
Ensure that backup procedures are not a security loophole, e.g.
moving your virtual machines to unencrypted backup tapes
- Encrypt your sensitive virtual machines with full disk
encryption - should the virtual hard drive file be exposed it will
not be accessible much like an encrypted laptop found on a
train.
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.