The virtual wave is cresting and is ready to wash over the enterprise – but at what cost to security and compliance? What are the challenges presented by virtualisation in terms of identity and access management?
First, what makes virtualisation so popular? Virtualisation is about delivering any application or data to anybody at anytime – making it especially relevant to organisations with a large mobile or geographically disparate workforce.
As an organisation’s workforce becomes increasingly distributed, access to critical applications and data is required from a variety of locations. Virtualisation affords today’s workforce access to the enterprise anytime and anywhere – without costly client software installs, and without bogging down network performance.
Virtualisation’s strengths in providing "anytime anywhere" access also represent the greatest threats to enterprise security and compliance. While identity management and access compliance remains a top IT priority for organisations, the potential impact of virtualisation has been relatively ignored.
Virtualisation technology excels at providing user access to applications and data – but what it’s not designed to do is determine whether that user should have access to those applications at all. Virtualisation creates a new level of exposure in adhering to compliance and security policies, adding layers of complexity to the issue of clearly knowing and enforcing policy around the level of access granted to a user and why.
Identity management and access compliance software has traditionally focused on in-house enterprise access – the act of putting the policies and procedures in place to ensure that users only have access to the applications and data that they’re credentialed to have based upon their job or role within the organisation. This task is complicated when introducing virtualisation.
Virtualised access is usually provided through third-party applications, such as Citrix Presentation Server, VMWare and others. Access is traditionally linked to another platform such as an Active Directory group. Virtualisation provides limited visibility into how a user achieved access to an application or data, muddying the compliance waters.
Consider the following scenario: While it may be easy to see that a user is part of Active Directory "Group X," what access clearance does that group actually provide? What policies are in place to ensure that the user should get access to specific applications via the virtual product?
If the IT team adds a user to Group X in order to give them access via a virtualisation application, what other access do they get by being associated with this group? If these questions haven't been asked yet, you can be sure this is the next question your auditor will ask – "How did this user get access and why?"
These are fundamental questions that all organisations should ask themselves when moving to a virtualised environment – but are not concerns that should inhibit organisations from taking advantage of the business advantages that virtualisation provides. The key to effectively and securely deploying virtualisation technology is to ensure that policies are in place to control access and that they are being enforced - every time.
Reviewing and provisioning access manually can be a tremendous burden to an organisation’s IT staff. Manually reviewing a group’s access rights and how an individual user’s access rights match up is a labor-intensive process that can bog down your IT staff.
To ensure policy is being enforced correctly every time virtualised access is established, organisations need to automate the enforcement of security and regulatory policies for remote and virtualised application access.
By automating remote and virtualised access, organizations are able to quickly map Active Directory Group management to virtualization access policies – providing quick verification of a user’s access rights, and alleviating a heavy burden carried by the IT staff.
This puts control into the hands of line of business managers – giving them the ability to create access only where it’s appropriate, and only for the properly credentialed. Automation also provides an auditing mechanism to provide periodic checks of users’ access to ensure that it’s in line with corporate policy.
While virtualisation will no doubt revolutionise the way an organisation views its IT infrastructure, addressing the security and compliance issues raised by virtualisation are top priorities. The key to achieving the benefits of virtualisation while maintaining access compliance lies in the automated creation, enforcement and validation of corporate policy, with quick remediation of any policy exceptions.
- Kurt Johnson is vice president for corporate development at Courion Corp.
Coping with a new virtualised business
By Kurt Johnson, on May 23, 2007 4:22PM