S 2.447 Secure use of virtual IT systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

For the initial operation of virtual IT systems, some particularities which do beyond the safeguards required for physical IT systems must be taken into consideration (for example, S 2.318 Secure installation of an IT system). This results from the dynamics and flexibility of the virtual IT systems as well as from the possibility that several virtual IT systems processing different data are operated at the same time on a virtualisation server.

First of all, the initial operation of virtual IT systems must be carried out according to their type and application scenario (application server or client, but also switch, for example) just like physical computers. Therefore, the safeguards relevant and established for physical systems must also be implemented during installation and in later operations for virtual IT systems. In addition, it must be taken into account that additional threats might arise for applications if they are moved from stand-alone physical IT systems to virtual IT systems. For example, bottlenecks can arise in the data processing speed or the storage capacity under some circumstances when applications are moved to virtual IT systems. Thus, it might be necessary to adapt existing installation documentation for a virtual IT system to be initially put into operation.

Therefore, care must be taken when preparing the initial operation of virtual IT systems (see also S 2.444 Planning the use of virtual IT systems). The following aspects in particular should be taken into account prior to immediate initial operation:

• It must be ensured that only the administrators responsible are allowed to configure the virtualisation software with regard to the virtual IT system and to set up or delete virtual IT systems.
• The access rights to the virtual IT systems must be set up according to the requirements. The general rule that only those access capabilities actually needed should be granted applies in this case as well. This not only applies to the administration software of the virtualisation server, but also especially for the data with which the virtual IT system is represented on the virtualisation server.
• It must be ensured that the network connections which are necessary for the virtual IT systems are available in the virtual infrastructure.
• The effects of the virtualisation (for example, during system monitoring or when using virtual hardware resources) resulting for the administrators of the virtual IT system itself and the applications operated on it must be determined and taken into account.
• Depending on the application scenario, the individual virtual IT systems on a physical computer must be more or less isolated and encapsulated (see also S 3.72 Basic terminology of virtualisation technology and S 3.70 Introduction to virtualisation). This applies in particular to situations in which virtual IT systems with different protection requirements are to be operated on a virtualisation server.
• The use of several virtual IT systems on a given physical computer can have serious effects on the availability, throughput and response times of the applications operated.
  
  It must be checked whether requirements in terms of the availability and the throughput of the applications can be met by the virtualisation solution used. This can be achieved by testing prior to the entry to live operations whether the virtual IT system achieves acceptable response time and processing speeds.
• In addition, the performance parameters of virtual servers should be monitored so that changes can be made quickly to the configuration in case bottlenecks arise. Monitoring can be performed at the level of the virtual IT systems or at the level of the corresponding virtualisation server. Here, it must be noted that performance values determined by the virtual IT systems themselves do not always reflect the reality. For some virtualisation products, a certain proportion of the overall processor time is, for example, assigned to a virtual IT system. If the virtual system now reports a load of its (virtual) processor, this does not correspond to the actual load of the physical processor in any case, but only to one load of the assigned processor time.

Review questions:

• Are the rights of the administrators to access the virtual IT systems restricted to the extent necessary and are only the actually required access options permitted?
• Are the network connections required for the virtual IT systems available?
• Are the administrators of the virtualisation environment, the virtual IT systems and the applications operated on them familiar with the effects of virtualisation?
• Are the isolation and encapsulation requirements of the virtual IT systems as well as of the applications operated on them met?
• Have the requirements of the virtual IT systems in terms of availability and throughout been determined?
• Is the performance of the virtual IT systems monitored during operation?