When you hear the word security in today’s information technology climate, you may feel shivers down your spine. IT security has been a rapidly growing field for some time now. The news has been full of stories dealing with data breaches, ransomware, and lots of things you hopefully have not experienced in your environment. Whether other areas of IT infrastructure like to hear it or not, the VMware vSphere environment, and the team running it are crucial to many organizations today. Every VMware vSphere operator and administrator should have a basic understanding of what IT security is, and how they can make their VMware vSphere environment more secure.
Why Does the IT Security Team Exist?
Your friendly neighborhood IT security team exists to protect the company from threats that can cause disruption of business. These threats can be internal or external, and disruption of business can be anything from someone running amok in the data center, to a data breech, to a hurricane impacting daily operations. At the end of the day, the IT security team is responsible for helping the business determine what risks exist, and managing policy and procedures to mitigate these risks.
The job of the IT security team is not to make the rest of the business miserable. Many complain about security controls in their organization that seem too restrictive. The fact is, these controls are in place for a reason, most likely because a risk analysis has been done, and the controls have deemed necessary to protect the organization.
Why the VMware vSphere Team is Essential to IT Security
Let’s face it, almost everything in the data center these days is virtualized with VMware vSphere. This means that our VMware vSphere environment has the potential to be a huge point of risk. If someone were to access the VMware vSphere environment with malicious intentions, key business applications would surely be at risk.
We all know how important it is that our VMware vSphere environment always be up and running. We also need to keep the same level of importance in mind when it comes to VMware vSphere security.
Now, let’s review a few resources for those who may not be familiar on how to learn more about VMware vSphere security at this point.
The VMware Security Harding Guides – Required VMware Security Reading For All
The VMware vSphere Hardening Guide, now called the vSphere Security Configuration guide can be found here from VMware on their site. The first rule of thumb is to always make sure you are getting this guide from VMware directly so you can be assured you are looking at the latest version. There is a different version for each version of VMware vSphere. The format of this guide is an easy to use Microsoft Excel worksheet. When you open the worksheet you will see everything you need to know about each and every Guideline, including risk level, discussion of the vulnerability, configuration options, and how to implement the security around the guideline. It also includes information about if the guideline can be addressed using a host profile or not.
The biggest thing that often confuses people when it comes to the guide is the Risk Profile, which is divided into three categories:
- Risk Profile 1, Highest Security Environments
- Risk Profile 2, More Sensitive Environments
- Risk Profile 3, All Environments
While this guide should be mandatory reading for all, it is not the be all end all. This guide is a starting point, and even though there are Risk Profiles listed for each guideline, the developers of this list do not have the most important information of all, the specifics of your business and VMware vSphere environment. Remember, IT security teams never want to implement a control for the sake of making people miserable and less productive. It is up to you to use the guide as a starting point for wider discussions on the state and security of your VMware vSphere environment.
Changes to the vSphere Security Configuration Guide as of vSphere 6.7 U1
As of vSphere 6.7 U1, major changes have been made to the vSphere Security Configuration Guide. Remember, we are moving away from the term “vSphere Hardening Guide”, since many of the settings are not really related to hardening at all. After more careful examination of the guide, many of the settings were determined to be site specific versus hardening.
When you think about these site specific settings, many of them require an understanding of the IT environment as a whole, and corporate IT security policies. Additionally, there is a third category called audit settings, which also requires a greater knowledge of the infrastructure and policy.
The biggest change comes into play when it comes to the idea of Risk Profiles, which we discussed above. These have been removed in the latest version of the vSphere Security Configuration guide. After reviewing the guide, this really does not have a negative impact overall, but will make vSphere architects and administrators think twice about what they are implementing. Before, many may have been tempted to blankety apply a risk profile to an environment, without thinking much about it at all.
All and all, over the last several versions, Mike Foley has done a great job of making this guide more consumable by both vSphere administrators and information security personnel. You can read his blog post on the vSphere Security Configuration Guide for vSphere 6.7 U1 here.
You can download all versions of the VMware vSphere Hardening Guide / VMware vSphere Security Configuration Guide here.
Incident Response and VMware Security
One of the most critical aspects of any IT security organization is incident response. How does the IT security organization respond when something happens, because let’s face it, something will happen.
As a member of the VMware vSphere team, the first thing you should do after reading this article is subscribe to Security Advisories from the VMware Security Response Center. This ensures when a new security advisory is released by VMware you will be in the loop. The last thing you want is for IT security to be knocking on your door when a security advisory has been released, and for you to know nothing about it.
For example, let us take a look at a recent vulnerability in Intel processors called L1 Terminal Fault or L1TF. This was a big bad one, since it impacts Intel processors. We are used to a false sense of security when it comes to VMware since we are immune to things like Windows vulnerabilities…or are we?
While this processor level vulnerability impacts VMware Security, we are also impacted by operating system vulnerabilities of those guests running in our VMware vSphere environment. While they may not impact the hypervisor directly, patching and remediation actions may increase the load in our VMware vSphere environment. Test environments may be utilized heavier than usual, or we may be called to leverage virtual machine snapshots to test remediation activities.
As VMware vSphere administrators and operators we need to be concerned with responding to incidents in both our hypervisor and virtual machine environments. If you find this topic interesting, be sure to read An Introduction to Security Advisories and Response for VMware vSphere Administrators.
VMware vSphere Security and Business Continuity and Disaster Recovery
One more area the IT security team is often concerned with is Business Continuity and Disaster Recovery. As members of the VMware vSphere team, we are obsessed with ensuring our service is available. We want to make sure our users can access their applications (which of course, run on our virtual machines), and that if they can’t, we can restore access in a timely manner by either fixing the issue or bringing the system online in another location.
While we are worried about our VMware vSphere environment and applications, so is the IT security team, but they take things a step further. While we are focused on infrastructure, they are focused on the business we are supporting. They are concerned with ensuring the services our business needs to run are available, and above all else, that our employees are safe and sound during a disaster.
When it comes down to it, many of our goals as the VMware vSphere team are the same as the IT security team, yet these two groups may not always have the best working relationship. By learning more about IT security practices, we can become better VMware vSphere administrators and operators, and better custodians of our data and applications.
Further IT Security Reading
Are you intrigued by this discussion? There are many many facets of information security to learn about, and many many free resources on the internet.
I recommend starting with US CERT’s Information Security Basics, as well as some of their publications. US CERT is the United States Computer Emergency Readiness Team, and is on top of threats as they emerge.
SANS also provides a number of free resources.
One of the best ways to learn more about information security is to use Twitter to find information security professionals and follow them. Search for terms like InfoSec, Information Security, and IT Security and find the accounts that look interesting to you. Twitter is often an underrated learning resource, but truly one of my favorites.
I hope this article has inspired you to delve deeper into the world of IT society as a virtualization professional. Whether we like it or not, we play a huge role in today’s information technology security world. By embracing it and learning more, we can continue to keep our VMware vSphere environments secure, and recover from incidents as quickly as possible.