Using Virtualization for Security

From the Nov. 2008 Issue

Virtualization technology has become a very powerful tool for improving security in tax and accounting firms. It allows public accountants to do many things without affecting the primary operating systems and network infrastructures of existing technology configurations. Over the past few years, several of the columnists in this magazine (including myself) have discussed the various aspects of virtualization and how it works. Using virtualization technology allows for testing of changes to operating systems, changes to software, testing of new software, and even exploring websites that have unfamiliar content. This column focuses on security, but you can read a lot more about the why and how of virtualization in this issue beginning on page 19. Here, we will examine the ways in which this technology can be utilized to the benefit of security in our computer environments.

WHY DOES VIRTUALIZATION IMPROVE SECURITY?
Virtualization allows you to explore and test different configurations and scenarios in the technology environment without making the changes to the main computers used in production. This improves security in the technology environment because it allows for changes to the security in the guest (virtual) operating system without affecting the host operating system.

This keeps the production network computers safe while testing the changes that are desired to be made in an environment. Changes can be made without fear that such changes will cause a security breach or security issue in the production environment. Because virtual environments allow for testing of new software or making different changes in the operating system to see the effect of those changes without opening up security vulnerabilities, the data on the network is protected.

WHY USE VIRTUALIZATION?
The use of virtualization allows for many different types of testing and experimentation. One of the most beneficial uses is to test beta software or newly released software that might conflict with other applications or hardware, or that may cause stability problems with the operating system. With the many different types of programs used by an accounting firm, it is important to test new products (whether beta or released) to ensure that issues that might occur once everyone is using the products are identified and dealt with before rolling the programs out to all users.

This also improves security because the new operating system, especially if it is a beta version, may not have all the security protocols enabled. By putting it on a production computer, it is possible the tester could encounter unknown vulnerabilities. As of the writing of this column, Internet Explorer 8 is currently in beta version 2. If a user wants to test this beta version, it is possible that it could have programming errors (bugs) that would open up possible security vulnerabilities. Using virtualization can prevent this from happening.

Using virtualization also provides an opportunity to figure out if the new software is something desired for use in the main environment or if it is something that is going to cause stability or other issues. This testing environment prevents problems in the production environment because the virtual machine can be turned off at any time (even quickly) without fear of damaging something in the production network. This also gives time to resolve technical issues that might occur without being forced to solve a problem immediately while a user waits to get back to doing productive work. A virtual computer can be turned off and the problem researched without it impacting the ability to do other work.