"We're about 80 percent virtualized," says Rick Olejnik, chief information security officer at Brookfield, Wis.-based law firm Rausch, Sturm, Israel, Enerson & Hornik (RSIEH), which specializes in debt collection and has offices in 13 states.
One of the main concerns the law firm had was securing credit-card data in its VMware ESX server environment, even though the credit card numbers are defunct. About a year or so ago the banks and financial institutions which are RSIEH's clientele made it clear that although these are no longer active card numbers, they still need to be protected according to the Payment Card Industry rules.
That meant encrypting them. Ojenik said that led to the decision about eight months ago to deploy the Vormetric appliance for encryption key management along with encryption software on ESX servers to encrypt PCI data at rest, while the agent software works to un-encrypt the data to allow the application called Collection Master to access and process information.
"It's happening at the kernel level and there have been no performance issues at all," says Olejnik. But besides adding encryption to the virtualized computing environment, another security control at the law firm depends on using the Palo Alto Networks application-layer firewall to partition off VMs. "This allows us to do the segmentation required on our internal network," says Olejnik.
At Wellington College just outside London, one of the main concerns had been finding a way to bring in better threat detection, rogue-device identification, access control for guests and visibility of network usage into a VMware-based ESX virtualized environment.
To that end, the college has started using ForeScout Technologies CounterACT Network Access Control Virtual Appliance, out since mid-June, to monitor the college's VMware-based hosts. It runs as a VMware guest VM, and works in tandem with the ForeScout physical appliance. Tony Whelton, director of IT services and development at Wellington College, says the ForeScout Network virtual appliance is checking for security vulnerabilities and "doing real-time scanning across the LAN for any kind of rogue traffic."
The California state Department of Economic Development, which administers the state's unemployment insurance, disability and workforce services, is shifting into a Microsoft Hyper-V-based virtualized environment for servers while also becoming far more centralized than it has been in the past in terms of management.
Now past the halfway mark into a fully virtualized environment, the agency has sought to improve its collection of logging information through use of the LogLogic products, mainly for security purposes and database monitoring, says John Cleveland, chief of the security and compliance section. "You have to be able to show who accessed this table at this time, for example," he says.
The shift to server virtualization is bringing heightened concerns about the security of the virtual host, and there are challenges in monitoring what happens from VM to VM, says Cleveland. While the agency does not yet use cloud-based services, he points out the move to virtualization makes it more possible that the agency could make use of hosted customized applications in the cloud. He says he sees a growing need for products that act as a central repository related to both security and content in a virtualized environment for compliance purposes. "I see a need to have these merged," he says.
Read more about wide area network in Network World's Wide Area Network section