What do your current virtual server security and compliance procedures look like? It might be time to take a closer look to reduce risk.
Virtualization offers many advantages, but ineffective virtual server security and compliance policies can offset any benefits. Virtual machine (VM) sprawl and software license management, in particular, might be vulnerable to security breaches or audit failure, which can be costly to fix.
It’s easy to identify the number of on-premise desktops on a traditional network, but it’s difficult to know how many VMs exist in an IT environment, as each desktop can host multiple virtual machines. For instance, if you create a VM in a sandbox testing environment and forget about it, it could remain unpatched and open to exploitation by hackers. Similarly, a forgotten VM might use software licenses no longer in your inventory.
To resolve security and software licensing issues, it’s important to ensure that all physical machines are correctly inventoried, with all virtual environments and related software included in a regularly maintained list.
Be aware of all security concerns
“There’s no inherent difference between a virtualized environment and a traditional one,” says Charles Weaver, the co-founder and CEO of MSPAlliance. “What matters are the physical security, logical security, and other environmental risks to the virtualized object, including the monitoring and management capabilities.”
So how can you maintain security in virtual environments and ensure accurate asset tracking in both physical and virtual environments?
Many SMBs wonder if doing so is necessary, but if you think that virtual server security and compliance issues only affect larger businesses, you’re wrong. Even SMBs who host their virtualized environments off-premises need to be aware of license management responsibilities and VM instances.
Tackle hardware and software tracking
Whether your virtual server is on-premises or part of your service provider’s off-premises solution, your organization is responsible for security and license management. If it’s in a managed off-site environment, the service provider assumes responsibility.
“When infrastructure as a service is utilized,” Weaver says, “the service provider needs to be aware of the licensing model—specifically, who’s responsible for user licensing: the provider or the customer? Failure to address such an issue could result in potential legal and licensing fines from the software vendor.”
Software license management has become complex. Depending on the vendor, licensing is based on one or more of the following:
– Physical instance per install instance (whether physical or virtual)
– Physical hardware, based on each CPU, CPU socket, or CPU core
– Virtual hardware, based on the virtual CPUs assigned per VM
– Whether there is a hybrid environment with a combination of physical and virtual (limited to VMs on a physical host)
– Usage, time spent, or traffic generated
– Client-based number of users (limits on concurrent connection possible)
Because there are so many licensing options, any IT asset management (ITAM) solution should provide an accurate assessment of hardware and software in physical and virtual environments. An Excel spreadsheet is not enough. Even with an effective ITAM tool, license complexity may require expert analysis.
“It’s often necessary to seek outside experts to help with license interpretation and calculation of the effective license position for a particular vendor,” says Robert J. Scott, an attorney and co-founder of Scott & Scott, LLP, a legal and technology powerhouse that provides expert consultation to companies who need to stay abreast of developing technology and emerging law. “Rules regarding virtualization vary by vendor and use case. Before deploying software in virtual environments, understand the licensing rules and seek outside help if the rules are unclear.”
Address internal and external threats
You can manage your hardware and software by testing and selecting the appropriate software solution for your business. The solution should include the following features:
– The ability to register any network-attached device to aid network monitoring and present a clear picture of the current status to the IT desk
– Reporting for hardware and software, including patch levels for software and detailed hardware specifications (e.g., number of processor cores, VMs, and related data)
– The ability to generate useful reports, such as maintenance schedules and licenses by vendor
– Visibility of license duration
An effective ITAM solution will mitigate the risks associated with shadow IT, keep all devices up to date, identify all hardware and software instances (even inside VMs), and ensure software license compliance by performing regular network audits. However, not all compliance requirements involve network monitoring. Scott recommends keeping diligent records for software purchases and choosing vendors that organize purchase records. Routine discovery and reconciliation are also necessary to avoid compliance risk.
Once you take all precautions and put an effective ITAM solution in place, IT can concentrate on business-critical activities, secure in the knowledge that any software audit won’t present a threat. Now, if asked, you can produce purchase orders for that older desktop in reception and confirm that the software installed on it is compliant.