The IT industry have seen a rapid move towards 'virtualisation' for example, the 2012 InformationWeek State of the Data Centre survey highlighted that half of the 256 respondents would have at least 50% of their production servers virtualised by 2013.
What do we mean by 'virtualisation'?
Virtualisation is the general term used in the IT industry to denote the movement from physical to simulation (i.e. virtual) technologies and machines. Virtualisation has many forms, for instance virtual components includes hardware platforms, operating systems, and storage devices. Virtual products include those operating via a cloud, or providing platform, server, application, desktop and/or network virtualisation.
A recent example of an organisation's 'virtualisation' is Dublin Airport Authority's 2012 IT infrastructure overhaul, whereby it went through a process of 'virtualisation' of more than 360 servers - it used a software application to divide a physical server into multiple isolated virtual environments.
What are the security risks?
In many circumstances, virtualisation can reduce costs and increase efficiencies. However, these benefits should be considered in light of the security risks applicable to using virtual products and/or services.
It is a common misconception that the security risks associated with the use of a physical server will be identical to those when using a virtual server. This is not the case, and organisations embarking on virtualisation, in any of its guises, should be mindful of this. For example, virtual servers include two operating systems - the server and the virtualisation application - which may need to be monitored and patched.
The impact of these security risks was demonstrated by the 'DigiNotar breach'. In July 2011, the Dutch certificate authority's security was breached, which was enabled in part by the limitations of its network segmentation and firewall. The breach resulted in a malicious hacker using DigiNotar's infrastructure to issue rogue digital certificates for high profile domains, with websites of the CIA, MI6, Mossad, Facebook, Microsoft, Skype and Twitter - to name a few, affected as a result. According to the SANS Institute, as more organisations move to virtualised systems and processes, security risks will continue to escalate.
Contractually, what preventative steps can be taken?
In light of the above, entities moving towards virtualisation, whether in an outsourced or insourced capacity should:
- undertake an internal risk assessment to identify and prioritise its security risks
- draft and maintain a stringent data security policy setting out its data security requirements, which should be adhered to internally and externally
- consider internally adopting, and externally requiring, third parties to comply with the Information Security Forum's (ISF's) standard good practise for securing virtual environments
Organisations should ensure their commercial contracts deal appropriately with IT security risk prevention and detection. For example, they should consider including within such contracts, where applicable:
- change control provisions in relation to the services and specifications applicable
- reporting obligations and monitoring mechanisms
- requirements to monitor users and network traffic between virtual servers, and virtual and physical servers (in order to detect malicious or unexpected behaviour
- obligations to obtain and maintain appropriate network based security for example, firewalls, intrusion detection, and/or data leakage protection; and identify whether such security is to be included or excluded from any applicable charges
- express provisions dealing with the parties' liability in respect of losses incurred due to loss of data
What does this mean?
A customer and/or operator should be mindful of the security risks associated with virtual products and/or services and protect themselves against these risks by incorporating into its contractual documentation mechanisms for protection.
Shoosmiths can provide expert advice on how a customer and/or operator can achieve such protection via its commercial contracts. Should you have any queries in relation to the content of this article or the issues raised within it, please do not hesitate to contact Magdalena Konig.