By now, most organizations are either starting to adopt -- or have already adopted -- virtualization technologies. As a result, security pros are increasingly becoming all too familiar with the unique security challenges that affect a virtual environment. Chief among those concerns is maintaining a reliable virtual asset inventory.
Certain tools that companies might already have in place can help supplement inventorying information within a virtual environment.
As any IT security pro can attest, keeping on top of changes and updates in any large-scale technology deployment (virtual or otherwise) is difficult to do reliably. Important information is critical, such as where the asset resides, what function it performs, the data it handles and processes, the personnel responsible for keeping it up to date, the administrators who can log in to it, and the business processes it supports. And all of these details have a direct bearing on the security and operations of the environment. As important as they are, they are just as difficult to keep current.
Virtualization compounds the problem of keeping inventory information straight because virtual environments (e.g., virtual data centers, private cloud deployments, IaaS) are not static. There's a constant background "Brownian motion" of virtual images that keeps the environment in a near-constant state of change. This motion occurs through a number of factors: images moving from hypervisor to hypervisor (for example, to optimize storage), through the creation of ephemeral images such as those created to support changes in demand (i.e., bursting), or the near-constant serialization and deserialization of images between "live" and "dormant" states.
But while keeping an inventory reliable is both difficult and important, it's paradoxically not a space where organizations are often willing to invest in purchasing and deploying specialized inventory or asset discovery tools. This means that many organizations are looking for opportunities to use tools they already have to help keep inventories current or instances where they can make use of tools they can get for a low cost.
Tools you might have already
Frankly, it can be hard to get funding for security tools during a virtualization push. There are a few reasons for this, but the simple answer is that many virtualization efforts are driven by cost reduction, and adding security tools to the budget undermines the cost savings that someone in the company is undoubtedly tracking closely. This creates pressure that often causes requests for tools to go unfulfilled. While there are a number of fantastic tools targeted directly at finding, inventorying and tracking virtual and physical host assets, actually getting to deploy them could be out of the question. Fortunately, certain tools that companies might already have in place can help supplement inventorying information within a virtual environment.
Many operational and security tools have a discovery component. First and foremost, virtualization products can often provide information about the virtual images that exist within the scope of that hypervisor. This technique has the advantage of giving visibility into images that are offline but visible to the hypervisor. The downside is that this information is sometimes difficult to reconcile -- both with other sources of asset data and among reports from different hypervisors. For example, consider situations where there are multiple hypervisor environments providing data only on a subset of images, which may be named and organized similarly. It's often too hard to distinguish one instance (and its purpose) from another.
For this reason, it can be advantageous to also draw on supplemental data to add granularity. Some network management tools have the capability to locate, identify and report on hosts that they discover; vulnerability scanning tools can provide solid information about what's fielded as determined by the scanning and mapping tasks it conducts. It goes without saying, however, that both of these tools are best at reporting "live" hosts, i.e., those that are currently running and in an operational state. Hosts that are offline (such as "spun down" virtual images) won't show up in these reports.
If it's possible to leverage tools that are already fielded, do so. Run those tools on a periodic basis and tie the output to the last known inventory data. Some legwork is required in making technical subject matter experts track down and record information about new images that are discovered, but the time spent doing this is returned during a security incident or other scenario that involves the need for a reliable inventory.
Open source and community-supported tools
Of course, as data is collected, it needs to be put somewhere. If you're using a spreadsheet, Access database or other list-based approach to keeping track of inventory, you may find the approach untenable for a virtual environment with any degree of "churn." Therefore, some companies may find it valuable to investigate open source, free or community-supported tools that can assist in maintaining a reliable inventory. In many cases, having a specific purpose-built tool to do this has the advantage of incorporating features designed to keep inventories current.
From the editor: More on virtual inventorying
Inventory management: What does it take?
IaaS security puts spotlight on hypervisor security
For example, Spiceworks is generally free to use for internal purposes. It includes inventorying capabilities and even has some virtualization-specific inventorying functionality built in. Open source tools like OCS Inventory and OpenNMS also go quite a long way in helping to keep track of the inventorying work and the results of what is found. Though not a panacea, each of these tools has the capacity to support automated discovery, inventory tracking and the establishing of relationships between assets (which is particularly important when tracking which VMs are on which hypervisors.) The best part: They won't cost you a cent.
Alternatively, some governance, risk and compliance (GRC) tools (e.g., Modulo Risk Manager and EMC's Archer), though not themselves focused on inventorying specifically, can provide a location for inventory data as it is collected. In some cases, these tools can directly import information from Active Directory, vulnerability scanners or even (painful though it might be to supply them) from spreadsheets and databases.
The bottom line
If your company is successfully using a virtual system inventory tool today that's not one of those mentioned above, by all means continue to use it. However, if it's not using any tool, the organization might quickly find that having a tool (even discounting automated discovery features and other fancier integrations like software inventory and ticket system integration) is fantastically helpful in staying organized.
Between getting better data about what hosts are fielded and having a repository where this information can be placed, some of the significant work involved in keeping up with a dynamic virtual environment is reduced. Longer term, it may be prudent to re-evaluate commercial alternatives relative to these two tasks, but if companies can't get funding for that, these alternatives can be a godsend.
About the author:
Ed Moyle is a founding partner with New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with CTG's global security practice, and prior to that served as vice president and information security officer to Merrill Lynch Investment Managers. In addition to his numerous contributions to Information Security magazine and SearchSecurity.com, Moyle is co-author of the book, Cryptographic Libraries for Developers, and is a frequent contributor to the information security industry as an author, expert speaker and analyst.
This was first published in December 2012