In an effort to expand some of the knowledge on the blog and get some more relevant posts up I’ve reached out to some people internal to VMware who will contribute here from time to time. First up is a good friend, Rob Randell. I hope you find the different views these guests share. This first post from Rob is more of an intro but you’ll find some more great info from Rob coming soon. Take it away, Rob!
Hi everyone, my name is Rob Randell. I’m a Security Specialist at VMware and Mike is giving me the opportunity to use his blog to talk a bit about virtualization security and more specifically the relationship between the virtualization team and the security teams within the customers that I talk to. My role at VMware allows me to talk to both virtualization professionals and security professionals about the security issues surrounding virtualization as well as the best practices that can help mitigate the risks and architect a deployment. The one thing that I have found in common in the most successful deployments is that the virtualization team works closely with the security team during all phases of the implementation. These customers included the security team as part of the architecture team and made sure they were a part of the deployment each step of the way.
Unfortunately, very often this situation is the exception and not the rule. Many of the customers that I talk to are only talking to me because they have started a widescale deployment of VMware VI and the security team gets wind of it once it is well underway or worse some sort of audit is initiated (PCI, Sarbox, HIPAA, etc…). At this point the entire architecture needs to be reviewed and very often rearchitected to meet the necessary security and audit requirements. See the following article for a great example of this.
To avoid a situation like this it is important for the security team to be involved in the deployment from the start. While it may seem difficult at first it will pay dividends in the end to when the audit man comes a calling. In my experience as a security professional, security people are always skeptical or paranoid of what they don’t know. So by making sure you are working closely with the security team, making sure they understand the technology and more importantly the differences between bare metal virtualization (ESX) and hosted virtualization (VMware Workstation, Server, Player) and the risks involved with deploying each. There are very different risk profiles for each technology and with a solid understanding of these the security team will be much more likely to be cooperative and will help to come up with a very efficient and secure implementation that won’t have to be redone when the environment is audited.
So if you are deploying virtualization in your organization (no matter what the flavor) take my advice and include your security team in the process. They are likely pretty good people and it will save you a lot of heartburn in the end. You may actually learn something as well. 
One more note, everything I just said also goes for the storage and networking teams as well. Remember virtualization touches every part of the infrastructure, so it is important to keep everyone up to speed and a part of the process so you wont hit any unforeseen roadblocks.
I may be back from time to time with other security related posts. In the mean time please comment here if there are specific security questions or concerns that you would like for me to address.
Check out the VMware Security Center and Compliance Center for more information on VMware security and compliance.
-
VMTN Blog
-
team building
