McAfee's Foundstone Professional Services Outlines Security Best Practices
for Virtualized Environments
CANNES, France, Feb. 27 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE:
MFE), the world's largest dedicated security company, today unveiled the
industry's first service designed to help organizations securely deploy
virtualization technologies.
As part of its strategy to provide the most complete solution for
secure virtualization, McAfee(R) Foundstone(R) Professional Services also
outlined a set of security guidelines covering people, processes and
technology to educate enterprises adopting virtualization technologies.
"With the popularity of virtualization and the rush to reap its
benefits, companies may not always follow the best security best
practices," said Bill Hau, vice president of McAfee Foundstone Professional
Services. "Many of the security practices that work in physical computing
environments also work in the virtual world, yet there are some unique
requirements. Our new service will help customers meet the security
requirements of these new virtual environments."
"The new Foundstone Professional Services offering complements the
robust security features built into VMware virtualization software," said
Brian Byun, vice president of global partners and solutions at VMware.
"Together, VMware and McAfee will ensure that customers can continue to run
their virtualized environments with even greater security than purely
physical environments."
McAfee Foundstone Professional Services helps enterprises create,
deploy and maintain virtual infrastructure with the highest possible
security. Foundstone consultants help identify and mitigate the risk to a
virtual infrastructure by reviewing the people, processes and technology
surrounding this virtual deployment.
"By formulating a holistic approach to people, process and technology,
security professionals can be confident that their virtualization strategy
is in line with the rest of their traditional security policy," said Hau.
"Organizations can now enjoy the full benefits of virtualization with
enhanced security by taking a risk based approach. This is not only
recommended but critical when making any such large and revolutionary
changes."
Virtualization Security Requirements
Virtualization is generating global momentum because it can deliver
significant business benefits for customers: reducing capital and operating
expenses, assuring business continuity, strengthening security, and going
green.
However, the security implications of adding virtual machines to a
corporate environment also need careful consideration. In a 2007
InformationWeek survey of IT professionals, only 12 percent said they had
put strategies in place to protect their virtual machines.
Just as with physical systems, IT organizations using virtualization
technologies must focus on people, processes and technological
considerations associated with securing their operations. Some of the items
enterprises need take note of when deploying virtualization technologies
include:
-- Data protection. Just as with physical systems, users should consider
what data will be stored on virtual systems. A breach may expose
organizations to a disclosure threat. Virtual disks are typically
stored on the host in an unprotected format, so encryption and strong
access controls should be considered where appropriate.
-- Management controls need to be protected. Many virtual machine (VM)
management Web consoles come with self-signed SSL certificates that
should be replaced with certificates issued by trusted third parties,
to prevent man-in-the-middle attacks. Also, just as with physical
environments, organizations should understand the risk of exposing
management interfaces to the Internet, or even extended populations of
their own user base. The impact of management traffic being intercepted
could be significant.
-- It is important to consider what access users have with respect to the
host. To manage such provisioning and authorization it may be wise to
create and designate new roles including virtual machine (VM)
administrators, VM authors and VM users.
-- Administrators must understand the nuances and possible attacks on the
systems they are deploying. While this is true in physical environments
as well, virtualization technology has its own unique characteristics
that add or change the attack surface. These must be understood given
its role in the infrastructure.
-- Hardware or firmware changes on a physical machine could affect
confidentiality, integrity and availability of the virtual machines
running on that machine. On a similar note, tried and tested patch
management techniques in use today may have to be augmented to deal
with virtualized infrastructures. Organizations need to track what
software, including applications, is installed on their physical and
virtual systems and keep up with patches, including the virtualization
software itself
-- Asset and inventory management. Organizations and administrators must
always maintain control of the number of licenses in use especially as
virtual machines are created, retired or duplicated.
-- Contingency planning and disaster recovery strategies can be optimized
to gain significant synergies from virtualization deployments.
McAfee's security risk management offerings are fully compatible with
virtual environments and can help enterprises create a safe computing
environment. ePolicy Orchestrator(R), McAfee's award-winning security
management technology, provides powerful unified management, reporting and
auditing features for physical and virtual systems.
McAfee offers additional insight into securing virtual environments in
"Virtualization and Risk - Key Security Considerations for your Enterprise
Architecture," a new paper available at
http://www.mcafee.com/virtualization/. For more information about the
Foundstone Virtual Infrastructure Security Assessment service visit
http://www.foundstone.com/virtualization.
Availability
Foundstone's new Virtual Infrastructure Security Assessment is
available today.
About McAfee, Inc.
McAfee, Inc., headquartered in Santa Clara, California, is the world's
largest dedicated security technology company. It delivers proactive and
proven solutions and services that secure systems and networks around the
world, allowing users to browse and shop the Web securely. With its
unmatched security expertise and commitment to innovation, McAfee empowers
home users, businesses, the public sector and service providers by enabling
them to comply with regulations, protect data, prevent disruptions,
identify vulnerabilities and continuously monitor and improve their
security. http://www.mcafee.com.
McAfee, Foundstone, ePolicy Orchestrator, and/or other noted McAfee
related products contained herein are registered trademarks or trademarks
of McAfee, Inc., and/or its affiliates in the US and/or other countries.
McAfee Red in connection with security is distinctive of McAfee brand
products. Any other non-McAfee related products, registered and/or
unregistered trademarks contained herein is only by reference and are the
sole property of their respective owners. (C)2008 McAfee, Inc. All Rights
Reserved.
SOURCE McAfee, Inc.
 back to top
Related links:
http://www.mcafee.com
http://www.foundstone.com/virtualization
CONTACT:
Joris Evers of McAfee Inc., +1-650-488-7448,
joris_evers@mcafee.com; or Ian Bain of Red Consultancy,
+1-415-618-8806, ian.bain@redconsultancy.com, for McAfee, Inc.
|
