Using Virtualization for Security

From the Nov. 2008 Issue

Virtualization technology has become a very powerful tool for improving security in tax and accounting firms. It allows public accountants to do many things without affecting the primary operating systems and network infrastructures of existing technology configurations. Over the past few years, several of the columnists in this magazine (including myself) have discussed the various aspects of virtualization and how it works. Using virtualization technology allows for testing of changes to operating systems, changes to software, testing of new software, and even exploring websites that have unfamiliar content. This column focuses on security, but you can read a lot more about the why and how of virtualization in this issue beginning on page 19. Here, we will examine the ways in which this technology can be utilized to the benefit of security in our computer environments.

WHY DOES VIRTUALIZATION IMPROVE SECURITY?
Virtualization allows you to explore and test different configurations and scenarios in the technology environment without making the changes to the main computers used in production. This improves security in the technology environment because it allows for changes to the security in the guest (virtual) operating system without affecting the host operating system.

This keeps the production network computers safe while testing the changes that are desired to be made in an environment. Changes can be made without fear that such changes will cause a security breach or security issue in the production environment. Because virtual environments allow for testing of new software or making different changes in the operating system to see the effect of those changes without opening up security vulnerabilities, the data on the network is protected.

WHY USE VIRTUALIZATION?
The use of virtualization allows for many different types of testing and experimentation. One of the most beneficial uses is to test beta software or newly released software that might conflict with other applications or hardware, or that may cause stability problems with the operating system. With the many different types of programs used by an accounting firm, it is important to test new products (whether beta or released) to ensure that issues that might occur once everyone is using the products are identified and dealt with before rolling the programs out to all users.

This also improves security because the new operating system, especially if it is a beta version, may not have all the security protocols enabled. By putting it on a production computer, it is possible the tester could encounter unknown vulnerabilities. As of the writing of this column, Internet Explorer 8 is currently in beta version 2. If a user wants to test this beta version, it is possible that it could have programming errors (bugs) that would open up possible security vulnerabilities. Using virtualization can prevent this from happening.

Using virtualization also provides an opportunity to figure out if the new software is something desired for use in the main environment or if it is something that is going to cause stability or other issues. This testing environment prevents problems in the production environment because the virtual machine can be turned off at any time (even quickly) without fear of damaging something in the production network. This also gives time to resolve technical issues that might occur without being forced to solve a problem immediately while a user waits to get back to doing productive work. A virtual computer can be turned off and the problem researched without it impacting the ability to do other work.

OTHER SECURITY BENEFITS
Another benefit of using virtualization is the ability to visit websites without fear of malware getting onto the host operating system. If the virtual computer is affected by the malware, it can simply be shut down. However, if the browsing is done on a production computer, any malware infestations that occur have to be removed before the user can be productive again. Inappropriate content can creep into a computer through seemingly innocuous methods such as Internet advertising from search and social networking websites. Sometimes, this advertising may contain questionable or inappropriate material that is undesirable in a business environment. By moving this website content to a virtual machine, it will also move any inappropriate content to the virtual machine without impacting the host machine in any way. If the host machine becomes infected with malware, it can either be rebuilt or simply deleted and a new virtual machine created.

Virtualization provides a strong benefit for browsing the Internet, especially by employees who like to visit shopping sites, social networking sites and other sites with a questionable business purpose but for which you might allow them to visit if it does not affect the productivity and production environment of firm computers. By pushing the browsing to a virtual machine, the risk of a production impact to the primary computer is significantly reduced due to any malware that might get installed.

SUMMARY
Virtualization provides a means of building guest operating systems for testing various configurations and software in a virtual environment without affecting the production computers used in everyday work. By shifting this over to virtualization, it keeps the production computers free of test versions of software or potentially from being impacted by malware. Whether the use of virtualization is to test new software or to prevent malware in the computer environment, it is a great tool that allows us to do things that we might otherwise avoid since it would affect our production computer(s).

-----------------------------------

VIRTUALIZATION IN REAL LIFE – TWO EXAMPLES
Having personally worked with virtualized computers using Microsoft’s Virtual PC 2007, Microsoft’s Virtual Server 2005 and VMWare GSX, it is an interesting technology that opens doors to testing that were previously unavailable without having a spare computer sitting around. I have set up about 25 virtual computers (both servers and workstations) over the past several years as this technology has become more prevalent and easier to use.

The first example is a machine we use for production for our legacy practice management software. We recently converted to a newer and different platform for our practice management software. This conversion wasn’t really a conversion but was more a process of starting over. Even though both products were developed by the same company, the older product was not 100 percent compatible with the newer software, and we decided not to convert between the two products.

We knew, however, that for a period of time we would need to look at data stored in the old practice management software. We decided to set up this legacy software using Virtual PC 2007 and a Windows XP operating system. After the virtual computer was set up, we installed the practice management software and installed the Virtual PC 2007 software on the workstations of the users who would use the legacy software. The other collateral benefit we obtained from using virtualization was that the virtual machine is now hardware and OS independent. Since the virtual machine is set up and configured with its own separate operating system from the host, it will run whether the host operating system is using Windows XP, Windows Vista or some other operating system.

The second example is more testing and security focused. I have set up a virtual computer using Microsoft Virtual PC 2007. This virtual computer is going to be used to test Internet Explorer 8.0 Beta 2. It will allow me to test this beta version to determine compatibility with our Vista Enterprise operating systems without causing any type of compatibility or stability problems on my production computer.

I will be able to use this virtual computer to test this product, including testing it with our accounting suite software. Should something happen to the virtual machine during testing, I can simply shut it down and start over with a clean copy of the hard disk or I can rebuild it while working on some other productive task. While writing this column, I was actually working on building the virtual machine and installing the beta version of Internet Explorer 8.0.

These two examples provide a reason to not only use this technology but also to make sure that employees in your organization (especially those who like to browse the Internet and are always having problems with their production machine) are using the technology, as well. Using virtualization to test the impact of a change makes this a valuable tool, and anyone familiar with installing an operating system can learn to use and benefit from virtualization.

 

 

Loading