Back to Top

Virtualisation Security Assessment Service

Virtualisation is swiftly becoming a common method to reduce infrastructure costs and efficiently manage processor, memory and storage across system functions. Virtualisation brings about its own information security challenges, including ensuring effective segregation of systems and information assets as well as ensuring secure configuration of hosts and virtual machines.

Digital Assurance is able to use its extensive expertise in virtualisation technologies to perform a security review of your environment. Using the Digital Assurance bespoke methodology it is possible to assess that the design, implementation and on-going management of a customer virtualised environment.

Our review of a virtualised platform encompasses the following areas: -

  • Virtual Network Design Review – an assessment of the configuration and architecture of the physical and virtual networks comprising the virtualised platform. This ensures that enforced segregation exists between network domains and sensitive information assets that would not be more straightforward to compromise through the use of virtualisation technologies;
  • Virtual High Availability and Clustering Review – ensuring that fault tolerance, clustering and load balancing virtualised technologies are properly implemented to maintain the required business availability of the platform;
  • Virtual Backup Strategy – that the solution is being properly backed up to support the platform, that service can be restored in line with service level requirements and that the virtual backup features cannot lead to unauthorised access to information assets;
  • Virtual Storage Area Network Environment – comprising a review of the setup and configuration of access to the Storage Area Network (SAN) environment, including proper authentication, permissions and access control that should prevent unauthorised access to a key store of aggregated information assets;
  • Virtual Capacity Planning – a review of the processes and technical controls that support the management of capacity planning and resource allocation to the virtual platform such that platform availability and performance will not be compromised;
  • Virtual Network Infrastructure Security Check – using our extensive security assessment experience and bespoke methodologies, we shall review the host and virtual machine interfaces to ensure that there are no vulnerabilities in the business, backup, storage and management interfaces that could be used to compromise the confidentiality, integrity and availability of information assets.

The deliverable from our extensive virtualisation review is a comprehensive report detailing the effectiveness of the solution in addition to any identified vulnerabilities and weaknesses alongside pragmatic remediation advice.

The expected return on investment from commissioning a virtualisation review is increased assurance to the organisation that the virtualised platform is as secure as possible and a reduced risk of widespread compromise. As such this reduces the risk of unauthorised access to private networks or sensitive information assets.

The following areas outlines the methodology and approach to virtualisation assessments:-

Network Design Review

In our experience, a large number of virtual implementations are implemented with functionality rather than security in mind. In traditional network environments physical segregation and division would have often been applied to ensure that server LAN, DMZ, storage and management networks were all separate. Firewalls and Access Control Lists (ACLs) would have been applied to ensure that traffic between these segments would have been limited. In many virtual environments implementation does not follow these best practises of network design. In our review, we will assess the choices made during the design process regarding networking.

High Availability and DRS Clustering Review

One of the obvious disadvantages of virtualisation is that the impact of a host server failure is greater. Should a physical server fail then potentially great numbers of servers and/or virtual desktops will become unavailable too. Virtual hosts often have a number of technologies that protect against this eventuality. If they are not correctly implemented, however, then they may not function as expected in the event of a failure.

Any Fault Tolerance features are often used inappropriately - or not at all - and may cause issues for organisations that have not fully understood the implications of how it should work.

Our review ensures that any HA / clustering technologies are properly configured to protect the availability of a virtual domain.

Backup

Understanding the virtual machine backup strategy is essential. Digital Assurance will assess the backup strategy and review any configuration that is in place to ensure that all hosts and virtual machines are being properly backed up and in the event of any outage that service can be restored as quickly as possible.

SAN Environment

The key component of a virtual implementation’s success is an effective virtual machine storage strategy. The review will undertake a series of checks against the storage environment to ensure that it has been correctly specified. While there are a large number of permutations for the vendor and type of storage array being used, the design best practices are similar across technologies.

Capacity Planning

Once a virtual environment is running successfully, it then becomes essential to perform on-going monitoring and management. Capacity planning is an integral task to ensure that the environment grows according to plan, rather than in an adhoc manner. The review will ensure that the organisation’s strategy with regard to capacity planning is sufficient and in line with best practice.

Network Infrastructure Security Check

This part of the methodology comprises a security review of a number of key network areas including the LAN, DMZ, iSCSI and Management networks to conduct a network security assessment.

Following our extensive security testing methodology and using a variety of automated, manual and bespoke assessment tools, Digital Assurance will analyse the vulnerability profile of the network.

Connections will be made to virtualisation servers and related network devices in a bid to identify network services that could be vulnerable to compromise. Where permission is obtained, the tester may actively exploit any vulnerabilities or weaknesses to obtain further access to the system to assess the impact of any breach.