Virtualized IT environments, which have become indispensable to many companies as they consolidate servers, can now be checked against a vendor-neutral security configuration benchmark developed by the Center for Internet Security.
The CIS, a nonprofit organization with a mailing address in Hershey, Pa., creates guidelines for securing widely used technologies, such as the Windows, Unix and Linux operating systems and major applications. On Tuesday, it posted a 30-page document that can be used to configure any virtual machine installation. Later this month, the group plans to add a similar benchmark that is specific to virtualization market leader VMware Inc.’s ESX Server software.
CIS officials contend that independent configuration guidelines, developed on a consensus basis with input from parties that aren’t affiliated with the vendors of the technologies being addressed, are critical to securing IT systems.
“If everybody had listened to Microsoft-and-only-Microsoft guidance for all these years for securing systems, we would be in a world of hurt,” said Dave Shackleford, a vice president at the CIS. The same point applies to any other software vendor, he added.
Shackleford said the CIS received input on the virtual machine benchmark from the U.S. Department of Homeland Security, the National Institute of Standards and Technology and the private sector.
Among those involved in the development of the guidelines was Configuresoft Inc., a Colorado Springs-based vendor of configuration management software and tools that let users check whether their systems comply with various benchmarks. Andrew Bird, Configuresoft’s vice president of marketing, said the company helped launch the virtualization benchmarking effort in February 2006 during a birds-of-a-feather session at the RSA Conference in San Jose.
The new benchmark provides information on a broad range of topics, such as sharing files between a host and guest server, the problems associated with synchronizing time between various virtual systems, and disabling features in order to improve security.
The upcoming guidelines for ESX Server will include specific details related to the VMware software, according to the CIS. For instance, specific parameters will be provided for tuning the ESX kernel for systems running Red Hat Linux.
Shackleford said the CIS has yet to decide whether it will develop similar benchmarks for other virtualization products, such as Microsoft Corp.’s Virtual Server and XenSource Inc.’s software based on the Xen open-source technology.
“We’re probably helping the community in the largest way possible by focusing on the biggest target possible,” he said, referring to VMware.
