informa
/
Attacks/Breaches
News

A Virtual Checklist

Enterprises need to get the message that benchmarking systems are key to security

3:01 PM -- A recent mailing list thread about requiring accreditation before putting a system into service got me thinking about standardization of enterprise systems. The goal here is to have each workstation or server meet a certain benchmark before letting it take on its duties: The benchmark measures the security posture of the system, making sure it meets the enterprise's configuration and security setting policies.

So obviously this is a commonplace practice in large enterprises, right? Not so much. Many large enterprises still don't get that when you standardize your configurations, it takes less time to support and to figure out a system that one of your co-workers or subordinates set up -- because they followed a checklist. (That checklist is based on a benchmark that can be measured across all systems.)

This week, the Center for Information Security (CIS) released version 1.0 of their Virtual Machine Security Guidelines, and it's no surprise to see that the project's technical co-lead is Bill Stearns from IntelGuardians, the company that recently demonstrated a VM escape. The guidelines focus generically on virtual machines and do a great job of documenting the threats to virtual machines and considerations for network security, data isolation, and remote management. (See Virtualization's New Benchmark.)

If you've never heard of CIS before, it's an organization that creates recommended baseline security configurations, or benchmarks. CIS has produced approximately 30 benchmarks and tools for operating systems, network devices, and applications. The benchmarks are essentially guidelines documenting security settings -- including why they are important, and steps to configure your system to comply with each one. The tools score systems on how well they meet the benchmark.

It's excellent news that CIS is taking the initiative and producing guidelines for protecting virtual infrastructures. Virtual machines and their physical hosts require more security precautions because a flaw impacting the host also affects the virtual machines running on it.

As more and more enterprises move toward virtualization, the CIS virtual machine guide will become increasingly important. Next week at VMworld, a follow-up benchmark for VMware ESX Server 2.5 and 3.0 will be released at the ConfigureSoft booth and will be made available on the CIS Website later this month. So keep an eye on the CIS Website.

-- John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5