Virtualization users get vendor-neutral security guide

Virtualized IT environments, which have become indispensable to many companies as they consolidate servers, can now be checked against a vendor-neutral security configuration benchmark developed by the Center for Internet Security.

The CIS, a nonprofit organization with a mailing address in Hershey, Pa., creates guidelines for securing widely used technologies, such as the Windows, Unix and Linux operating systems and major applications. On Tuesday, it posted a 30-page document that can be used to configure any virtual machine installation. Later this month, the group plans to add a similar benchmark that is specific to virtualization market leader VMware Inc.’s ESX Server software.

CIS officials contend that independent configuration guidelines, developed on a consensus basis with input from parties that aren’t affiliated with the vendors of the technologies being addressed, are critical to securing IT systems.

“If everybody had listened to Microsoft-and-only-Microsoft guidance for all these years for securing systems, we would be in a world of hurt,” said Dave Shackleford, a vice president at the CIS. The same point applies to any other software vendor, he added.

Shackleford said the CIS received input on the virtual machine benchmark from the U.S. Department of Homeland Security, the National Institute of Standards and Technology and the private sector.

Among those involved in the development of the guidelines was Configuresoft Inc., a Colorado Springs-based vendor of configuration management software and tools that let users check whether their systems comply with various benchmarks. Andrew Bird, Configuresoft’s vice president of marketing, said the company helped launch the virtualization benchmarking effort in February 2006 during a birds-of-a-feather session at the RSA Conference in San Jose.

The new benchmark provides information on a broad range of topics, such as sharing files between a host and guest server, the problems associated with synchronizing time between various virtual systems, and disabling features in order to improve security.

The upcoming guidelines for ESX Server will include specific details related to the VMware software, according to the CIS. For instance, specific parameters will be provided for tuning the ESX kernel for systems running Red Hat Linux.

Shackleford said the CIS has yet to decide whether it will develop similar benchmarks for other virtualization products, such as Microsoft Corp.’s Virtual Server and XenSource Inc.’s software based on the Xen open-source technology.

“We’re probably helping the community in the largest way possible by focusing on the biggest target possible,” he said, referring to VMware.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now