At the beginning of February, 2011 the US National Institute of Standards and Technology published the final set of its NIST virtualization security guidelines. These guidelines are intended to help businesses deal with a new environment in which it is virtual data, not physical mediums, which are under increasing numbers of attacks from outside sources. Virtualized servers are often the targets of hackers and data thieves and companies must be prepared for such attacks in order to best deal with issues that will inevitably arise when it comes to security. While there are no hard and fast ways to protect a company from all security threats at a virtual level, NIST recommends a number of excellent ideas for protecting company data.
First, treat a virtualization layer as though it were the most critical OS in the company. Too many companies take a slap-dash approach to security, but would do well to instead place it as a top priority. Next, it is useful to create configuration protocols that are based off of the NIST guidelines but not identical as every company will need to create configurations that are unique to their situation. Once these have been established, companies should watch them for movement or “drift” over time and make corrections as necessary.
Lastly, ensure that security layers are included in patch and vulnerability management scenarios in the long term. Breaches will often come through already-known security weaknesses in existing security programs, ones that have patches and fixes available. By staying up to date on what can protect a virtualization layer, companies can prevent their data from being used or corrupted by those with ill intent, and the NIST guidelines are a good place to start.