New ISACA Guide Shares Strategies for Minimizing Virtualization Risks

Rolling Meadows, IL, USA (7th December 2010): With its potential to reduce expenses, drive automation and provide flexibility, virtualization has earned its way onto the board agenda and is being implemented by enterprises worldwide. But with the many benefits of virtualization come considerable risks. Global IT association ISACA provides a balanced look at virtualization—and strategies to help enterprises maximize the value—in a new white paper available for free download from www.isaca.org/virtualization.

According to the “Virtualization: Benefits and Challenges” white paper, virtualization risks can be divided into three groups:

· Attacks on virtualization infrastructure—The two primary types are hyperjacking and virtual machine (VM) jumping. Hyperjacking is still a theoretical attack scenario, but has earned significant attention because of the major damage it can potentially cause.

· Attacks on virtualization features—The more common targets include VM migration and virtual networking functions.

· Compliance and management challenges—The number and types of VM can easily get out of hand; VM sprawl and dormant VMs make it a challenge to get accurate results from vulnerability assessments, patching/updates and auditing.

To combat these risks, ISACA recommends the following:

1. Patch and harden the hypervisor and the guests it supports.

2. Use physical, network and virtualization-based separation to segment VMs and systems.

3. Use transport encryption to secure VM migration.

4. Implement virtualization-aware management products and services.

“Virtualization has recently become a more common practice and enterprises are already realizing cost savings and efficiencies by moving to virtualized environments,” said Ramsés Gallego, CISM, CGEIT, CISSP, an author of the white paper and general manager at Entel IT Consulting. “However, to achieve this value, enterprises must consider the potential security risks and governance considerations. Having well-documented business processes and strong audit capabilities will help ensure the best possible value.”

To download a free copy of “Virtualization: Benefits and Challenges” and a virtualization security checklist from HyTrust, visit www.isaca.org/virtualization.

With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter: http://twitter.com/ISACANews

Source: Eskenzi PR