Blog

Well, I’ll tell you.  Let me start by saying I do think the overall benefits of Virtualization heavily outweigh the risks.
Since I don’t want this to be a doom and gloom blog, I’ll start with the positives of Virtualization.

• Less hardware costs for servers and maintenance, but routers and switches too with VLANing.
• Saving valuable physical space in server rooms.
• Going green with energy consumption and generator/battery backups.
• Normalizing platforms across multiple systems.
• Agility in an environment. Imagine if you had a server crash, you can just boot up a Virtual Machine and like that you are good to go!
• Saving money in licensing. I’m not an expert at all on licensing, but I know vendors have laxed on licensing because they are real sure how to manage it with virtualization.

Now, I’ll focus more on the potential risks of Virtualization because they aren’t discussed as much as the benefits, and we are security people…it’s what we do!

• Currently there are no definite standards yet, especially from the FFIEC, but we haven’t even gotten any standards to audit to from PCI or DISA. There are some some best practices docs from DISA in their Virtualization STIG (search Virtualization on DISA’s website) and VMWare’s best practices (Google: VMWare Best Practices)
• In virtualization transparency is reduced so it is hard to find where applications are running at a specific time. In other words, visibility within an environment is blurred.
• Applications must be secure within themselves. What I mean is that any piece of hardware that is compromised, and data on that server can be compromised as well. So if your football bowl picks.xls is compromised and it is on the same server as customer data, you may be S.O.L.
• Virtual Machine Managers have extreme access to the network like never before. Consider segregations of duties for different IT staff managing network and core servers on separate VM installs.
• VM migrations present risk because data may be changed during the migration. Consider encrypting channels, heavily restricing access to who can migrate VM’s, or isolate LAN’s from each other.
• With virtual security appliances Real Time Monitoring needs to always have dedicated resources. Or else Anti-Virus or internal Intrusion Detections may not be getting the resources to operate in real time.
• Cloud Computing is a risk in itself. I do believe there is risk in cloud computing. I don’t believe it is dire as CNET, but this is a good article.
• Currently there are multiple CVE’s associated with virtualization and may be mitigated. Just be sure your internal vulnerability scans check for virtualization risks.

Don’t let this scare you away! I’m excited about the potential of virtualization and the $$$ savings are hard to argue with. Good Luck Virtualizing and don’t forget about our upcoming June 4th webinar on Virtualization and the Compliance Around it!

Awesome! A single word to describe our FinovateSpring 2010 demo experience.  We presented RiskKey to a room filled of leading Financial Institutions, top executives and media chanting “Compliance Sucks!”   The reception was incredible and the reviews even more so as the twitterverse took our compliance message global.

@netbanker “Brad Garland leads cheer of “compliance sucks” #Finovate and is now showing how its RiskKey tool to help make it suck less; nice touch”

@ConsumerFinance “Watching RiskKey demonstrate compliance simplification services application – we all just yelled “compliance sucks” together @Finovate”

@jpunishill “RiskKey uses “7th bank of Timbuktu” as their reference demo account. A+ for creativity. Who says you can’t innovate in compl? #Finovate”

@netbanker “RiskKey is launching its enterprise dashboard to help manage the online compliance management system; also has peer comparisons #Finovate”

@bankingreview “RiskKey: An online tool to manage compliance from The Garland Group #Finovate I can see the risk managers salivating now”

@leimer “RiskKey dashboard to help enterprise risk management. Nice new features. #Finovate”

If you’re still not sure what RiskKey does sign up for a free trial to see how RiskKey brings simplicity, collaboration, and results to your enterprise. Our web based product includes pre-built templates to get you started, centralized project management for your entire team, risk assessment and audit project workflows, and beautiful reporting.

Thanks to Finovate for giving us the opportunity to show RiskKey. And a huge thank you to our supporters, customers, and those who helped our presentation by chanting “compliance sucks”.  Now that you know it doesn’t have to suck contact us; we can help!

We got a great question from Matt, he attended our last webinar, and I thought it would be great to share his question and Eric Kitchens’ answer. If you have more questions, please send them to us at info@thegarlandgroup.net and we will continue to help!

Question – I have customers that outsource firewall management, IPS / IDS, content filtering, log collection, and log monitoring for the perimeter security devices. I have customers that maintain their own firewall and outsource IPS / IDS only.

Do you feel a mixed management environment is best or, is this contingent on the technical abilities of the personnel? What are your thoughts?

Hi Matt,

Great question, and one that I think effects the majority of the financial institutions out there. Outsourcing Firewall and IDS Management and monitoring, log monitoring and correlation is fine- there’s nothing wrong with that. But what the institutions need to understand is that they really can’t outsource it and wash their hands of things. Regardless of the skill set of the institution, they need to be involved with the services they’ve outsourced. It is understandable that an institution that doesn’t believe they have the skill set to review system logs and Firewall events wants to give all of that headache to their vendor. I think the examiners will be looking for the situations where they’ve done just that.

Ideally- an institution is going to have several data sets that they will need to correlate, that (generally) their vendor will not have access to or experience with. Their fraud monitoring tools, CIF records, internal help desk metrics (hey I said ideal didn’t I?) reports from other outsourced services such as online banking. The examiners are going to want to see that none of that information is looked at in a vacuum. Correlating suspicious originating IP’s from a failed online banking attempt with IP’s that originated NMAP scans against the perimeter a week earlier.

That’s why I consider a “mixed management” environment better- The banker has the insight on specific datasets, their outsourced vendor has information on others- The two need to be correlated as best as they can be. With that said, if a financial institution has contracted with a vendor to provide that correlation from A to Z, (that’s a pretty unique situation by the way) I don’t think there’s anything wrong with that, given that *policies and procedures* are documented and followed and that the activity is subject to the oversight of the several responsible parties within the institution.

I say that’s a pretty unique situation because really- if that’s being done “right” it’s going to be a time consuming process for the vendor and expensive for the institution, and I’ve never seen it done to that extent.

Hope this answers your question Matt, If you think of any others, please let us know! info@thegarlandgroup.net