Practical Guide

VIRTUALIZATION
SECURITY
Tips to help you protect your systems
and sensitive corporate data

kaspersky.com/business
 CONTENTS
Virtualization Benefits . . . For Businesses of All Sizes 4

Meet Max, the Intrepid IT & Security Specialist 5

Are Virtual Environments More Secure . . . or Less Secure? 7

Using Your Existing Security Policies 8

Agent-Based Security Software 10

Agentless Security Software 13

Small Footprint Agents 14

Working Out Which Technology is Best for You 15

Having it All 17

Security that Gives You More Options 18

Kaspersky Security for Virtualization | Agentless 19

Kaspersky Security for Virtualization | Light Agent 20

Max’s Strategy Tips — for Secure Virtualization 22

2
VIRTUALIZATION MEET MAX,
BENEFITS . . . THE INTREPID IT &
For Businesses of All Sizes SECURITY SPECIALIST

In today’s competitive environment However, whether you’re running As the IT Manager for a business and Max’s ability to introduce new
– with businesses trying to boost applications on physical or virtual with 150 employees, Max devotes technologies and IT services that
efficiency and cut costs – machines, you still need to guard his working life to managing every enable improved business processes,
virtualization is no longer the against the constant increase in the aspect of the company’s IT systems while he also continues to ensure
preserve of multinational volume and sophistication of and services – physical, virtual and valuable information is protected.
enterprises and large-scale malware and other cyberthreats mobile. He’s also responsible for
data centers. Virtualization that could jeopardize your keeping all servers, desktops and Although the company’s IT
promises to: day-to-day operations by: mobile devices up and running – infrastructure has enabled business-
plus ensuring sensitive corporate critical processes – that weren’t
• Run more applications and • Disrupting your business data is safe and secure. possible in the past – Max is constantly
services – on fewer servers. processes – and increasing being asked to do more with less.
• Cut hardware acquisition costs. your operational costs. With so many tasks to juggle – and Furthermore, with the growing number
• Reduce operational costs • Stealing and exposing tight budget constraints to comply of security threats, plus constant
related to maintenance, your confidential business with – Max is always looking for IT battles to avoid service disruptions
space and energy. information. solutions that simplify support, and downtime, Max is buried in
• Compromising the security automate everyday tasks and day-to-day routine, and he’s got no
Virtualization is often an of your suppliers’ and help control costs. time left to perfect his IT strategy.
important element in the IT customers’ data.
department’s efforts to meet • Destroying the competitive Max’s bosses may not totally
the business’s demand to do advantage that your understand the day-to-day
more and spend less. business gains from its challenges that Max faces – they
intellectual property. just know everything has to run
smoothly. However, with each
passing year, they also realize that
the company’s ongoing success is
increasingly reliant on IT . . .

4
 ARE VIRTUAL ENVIRONMENTS
MORE SECURE . . .
OR LESS SECURE?

It’s a myth that virtualized FIREWALLS AREN’T ENOUGH

A Message From Max environments are somehow Just because a virtual machine
more secure than their physical is behind a firewall – within the
“For our first virtualization projects, I migrated some of our less counterparts. Unfortunately, even organization’s data center –
important applications to a virtual environment. At that stage, though there is absolutely no truth doesn’t mean it’s safe from many
we were keen to delay migration of mission-critical applications.” or logic behind this belief, it can different types of threats that
lull some organizations into a can be launched from outside
“This approach meant we gained invaluable experience and built false sense of security when they the company perimeter.
up our confidence levels – before moving our most important consider security requirements
business processes and applications to a virtual environment.” for any virtualization projects. Attackers that have already
breached the company’s security
“The lessons we learned on those first few projects helped to From the point of view of everything perimeter will regard unprotected
ensure later projects went really smoothly.” that interfaces with or interacts virtual machines as easy targets.
with a virtual machine, the machine
“looks” and acts exactly like any
physical machine. Generally, the
only thing that is aware that the
machine is virtual is the hypervisor
(plus the IT administration team!).

So it’s a simple statement of fact

that virtualized environments still
have to contend with all of the
potential security risks that physical
environments have to deal with.

6 7
USING YOUR EXISTING CYBERCRIMINALS FOCUS ON
SECURITY POLICIES ATTACKING YOUR WEAK LINKS
With cybercriminals always looking to maximize their ill-gotten
gains and minimize the effort necessary to implement their
The services and applications Your first steps toward a secure
illegal activities, the fact that some businesses fail to apply
that your IT department delivers virtualized environment can be as
adequate security measures to their virtual environments
to the business are obviously simple as taking your current
has not gone unnoticed.
important – regardless of whether security and operational policies –
those services and applications that you already apply to your
Criminals recognize that – for many organizations – virtualized
are being run on physical or physical servers and desktops
components within the corporate IT infrastructure can be the
virtual machines. – and replicating them across your
weak link in a business’s defenses . . . and can make it easy for
new virtualized environment.
criminals to gain access to corporate systems and confidential,
If your business has recognized
highly valuable information.
the need to protect applications However, here’s a note of caution
and data running on physical – while replicating security policies
servers, that same need for may make perfect sense,
security applies to applications replicating the same security
or business processes that you technologies could:
run in a virtualized environment.
• Introduce security gaps.
The majority of the policies that you • Greatly increase your IT costs.
applied to those applications and • Introduce system inefficiencies.
processes – when they were
running on physical servers or Your choice of virtual machine
desktops – are still just as valid. security technologies will need
to be carefully considered.
Traditional agent-based security
software can bring some highly
undesirable side effects.

8 9
AGENT-BASED SECURITY SCANNING STORMS UPDATE STORMS
SECURITY SOFTWARE Because there are multiple
instances of the security agent
With the virtual host storing the
anti-malware databases for multiple
installed on each virtual host, if instances of the security agent, all
several – or even all – virtual of those databases will be subject to
This is basically the same type of performance will suffer – especially machines simultaneously start regular updates. Simultaneous
package that you would install on in cases where the security software to run a routine security scan, updates of each virtual machine’s
a physical machine. In a non- is running intensive processes on the other applications that are anti-malware database can severely
virtualized environment, the full multiple virtual machines on the host. running on that host will be impact the performance of other
security software agent and anti- affected. In the event of a virus applications.
malware database are installed If one of the motivations behind outbreak, the resulting malware
on the machine (server or desktop). undertaking a virtualization project is scanning processes could mean To alleviate this, you may be
doing more with less hardware, that key applications will almost tempted to stagger the database
Generally, using these agent- anything that adversely affects grind to a halt. updates – so that no more than
based products within a virtualized consolidation ratios will severely a specified number of virtual
environment is not a good idea. handicap your virtualization project’s These scanning storms can be machines will update at the
Each virtual machine will require ability to generate a good return on avoided if you choose a security same time. However, this approach
the full agent and full anti-malware investment. solution that has been optimized will mean that the security on some
signature database to be installed for virtualized environments. of the virtual machines will lag
on it. Therefore, if you have 100 In addition to wasteful duplication of behind that of other virtual
virtual machines running on the security software and databases, PANIC ATTACKS machines on the same host – so
one virtual host, you’ll have 100 agent-based security can also result IT administrators often set up some of your virtual machines will
instances of the security agent in phenomena that further degrade policies whereby security will be more vulnerable to new or
and 100 instances of the performance or lead to potential tighten up during a virus outbreak emerging malware and attacks.
malware signature database gaps in security, including: – so that scanning processes
on that virtual host. simultaneously run on all virtual Some security products that have
• Scanning storms. machines and heuristic analysis is been specifically developed for
Obviously, this high level of • Panic attacks. set to maximum. Obviously, this virtualized environments will
duplication of the antivirus database • Update storms. leads to each virtual machine randomize updates – to minimise
wastes storage capacity. In addition, • Instant on gaps. consuming high levels of the the potential for update storms.
with multiple instances of the host’s resources – including
security application running, memory and CPU power
– and can severely affect the
performance of the host machine.
10 11
INSTANT ON GAPS
Instant on gaps can be a major security risk for agent-based products.
AGENTLESS
Consider the case of an office worker logging off their virtual desktop at 5:00 p.m.
SECURITY SOFTWARE
and then logging back on at 8:00 a.m. the next morning. For those 15 hours, their
virtual machine has been totally inactive – and that means its antivirus database and For VMware®-based virtual Compared with traditional agent-
the security application won’t have received any updates. environments, vendors are able to based security, agentless solutions
offer agentless security products place much less demand on the
Although 15 hours may not seem like a long time, in today’s fast moving world, that make use of a special feature in host machine’s CPU, memory
there are a lot of new malware items that can be launched in this relatively short VMware vSphere – to access the file and storage – so IT departments
period – and, when it’s first powered up in the morning the user’s virtual desktop systems in the virtual machines. can achieve:
could have no protection against the latest threats.
Whereas agent-based security • Higher guest virtual
If the user starts his day with a quick browse across a few Internet sites – before the products require the full security machine densities.
security software update has completed– his virtual computer could be extremely agent – and its database – to be • Higher performance for
vulnerable to attacks. replicated on every virtual machine critical applications and
on each host, these agentless business processes.
Similarly, when administrators first set up a new virtual machine, the instant on security applications only need • Easy deployment and
gap will mean the machine is vulnerable – until after the security application and one instance of the anti-malware automatic protection of the
database have been updated. database and one virtual machine newly created virtual machine.
that’s dedicated to security . . . • Higher return on investment.
in order to protect every virtual
A Message From Max machine that is running on that host. Furthermore, with only one
dedicated security virtual machine,
“Our initial project was a bit rushed, to say the least. Security was almost an Agentless security products can malware scanning storms and
afterthought – so we just used our normal security package on each protect virtual servers and virtual security database/application
virtual machine.” desktops, while having no significant update storms are eliminated.
impact on hypervisor performance. In addition, instant on gaps
“We really thought that we’d benefit from using a security product do not occur.
that we were already familiar with. Then, towards the end of
the project, we wondered why we weren’t getting anywhere
near our predicted consolidation ratios . . . or the cost savings
that my boss was expecting!”

12 13
SMALL WORKING OUT WHICH
FOOTPRINT AGENTS TECHNOLOGY IS
BEST FOR YOU
For Citrix®-based and Microsoft®-based virtual infrastructure, agentless For virtualization security, there’s For solutions that are optimized
security is not an option. Instead, vendors have developed security solutions no one size fits all solution. The for virtualization, it’s a matter of
that use a combination of a virtual appliance on the virtual host and a small optimum approach for your choosing either an agentless
footprint agent – or light agent – on each virtual machine. These light agent organization – and the unique solution or a small footprint/light
solutions can offer a combination of enhanced security and relatively high architecture of your IT infrastructure agent security product:
consolidation ratios. – will depend on a number of
factors, including: • For VMware-based virtual
Light agent solutions often deliver security and management technologies environments, agentless security
that are not provided by agentless products, including: • The level of risk you’re likely can help you to achieve high
to encounter consolidation ratios and
• The ability to scan memory – and find memory resident malware. • The value of the data that your significant ROI increase due to
• Control tools that can be particularly useful in virtual desktop environments. systems store and process its ease of deployment and
• Host-based network security – including a firewall and host • The consolidation ratios that simple management.
intrusion prevention system (HIPS). you’re aiming to achieve • Light agent security can deliver
• Your organization’s virtual an enhanced level of protection.
Even though there is a light agent on each virtual machine, update storms environment – including Because agentless solutions are
do not occur – as there is only one instance of the security database, which is servers and desktops not available for Citrix-based and
held within the virtual appliance – and scanning storms are eliminated, because • Your choice of virtualization Microsoft-based virtual
the security virtual appliance automatically randomizes file system scanning. platform – including VMware, infrastructures, light agent
Citrix or Microsoft products provide the best security
solution for these environments.
However there can be extreme • A virtualization-aware full agent
cases whereby a traditional agent- solution can help in cases where
based security product may be you’re using a wider range of
necessary. In general, security that’s guest operating systems including
optimized for virtual environments is Linux – or you’re running a less
desirable as it will offer significant common hypervisor.
performance, consolidation and
operating cost benefits.
14 15
 HAVING IT ALL
For some businesses, a mixture of both agentless and light agent security
products may be appropriate.

A Message From Max For example, in a tightly controlled data center environment – where
servers are performing work that doesn’t require them to be constantly
“Being a one-man IT and security department can have its connected to the Internet – an agentless security solution may provide
advantages. A friend – who heads the IT security function in more than enough protection.
a much larger company – was appalled when his employer’s first
venture into virtualization was masterminded by the IT operations However, for a virtualized desktop environment – where there’s much less
team, without involving the IT security team.” control over how the virtual desktops are being used by employees – there
may be a valid case for the deeper levels of protection that a light agent
“Having to play catch-up on security – halfway through a project security solution can deliver. This is particularly true if your choice of light
– made for some sleepless nights.” agent security product includes additional security technologies, such as
Application Control, Device Control and Web Control features that can
guard against inappropriate or insecure actions by your users.

16 17
SECURITY THAT GIVES KASPERSKY SECURITY FOR
YOU MORE OPTIONS VIRTUALIZATION | AGENTLESS
Kaspersky Lab has virtual security ONE LICENSE – TWO WORLD-CLASS Where as traditional security products Kaspersky Security for
solutions for a wide range of SECURITY TECHNOLOGIES require a full security agent to be Virtualization | Agentless delivers:
Windows®-based virtual When you buy Kaspersky Security for installed on each of your virtual
environments, including: Virtualization, you get access to both: machines, Kaspersky Security for • File-level anti-malware protection.
Virtualization | Agentless allows you • Network-level protection –
• VMware. • Kaspersky Security for to protect every virtual machine on a using Kaspersky’s Network
• Citrix. Virtualization | Agentless. virtual host – just by installing a Attack Blocker technology.
• Microsoft. • Kaspersky Security for single security virtual appliance. • Cloud-assisted, real-time
Virtualization | Light Agent. threat data – from the
Kaspersky Lab also has security solutions Kaspersky Security for Virtualization Kaspersky Security Network.
for environments that use two or . . . so you can deploy different | Agentless is the ideal choice for
more virtual vendors’ products. security applications to different VMware-based projects where Because Kaspersky Security for
areas of your IT infrastructure. you’re aiming to achieve good ROI Virtualization | Agentless can be
Kaspersky Lab also gives businesses through seamless and non-affecting deployed without your having to
the ability to choose the security You can also choose between per deployment and steady consolidation reboot any machines – or put the
approach that best suits their virtual machine or per core licensing ratios – including some data center host server into maintenance mode–
specific virtual environment: – to select the option that is most environments or on servers that aren’t it’s ideally suited to data centers and
cost-effective for your business. constantly accessing the Internet. businesses that are looking to achieve
• Kaspersky Security for “five nines” (99.999%) uptime.
Virtualization | Agentless.
• Kaspersky Security for Scanning storms, update storms, and
Virtualization | Light Agent. instant on gaps are also eliminated.
• Kaspersky Lab’s agent-based
security solutions.

18 19
KASPERSKY SECURITY FOR
VIRTUALIZATION | LIGHT AGENT
With Kaspersky Security for • Web Control – to help you ONE MANAGEMENT CONSOLE – MULTIPLE BENEFITS
Virtualization | Light Agent, one manage Internet usage and block Kaspersky Security for Virtualization includes Kaspersky Security Center –
dedicated virtual appliance is access to specific types of website. an easy-to-use management interface that lets you configure and control
installed on the host and a small • Automatic Exploit Prevention a wide range of Kaspersky Lab’s security and systems management
software agent – called a light agent (AEP) – to defend against malware technologies, via a single console.
– is installed on each virtual that exploits vulnerabilities in your
machine. This offers a greater level operating system and applications. Whether you’re using Kaspersky Security for Virtualization | Agentless,
of security than is typically achieved • Cloud-assisted, real-time threat Kaspersky Security for Virtualization | Light Agent – or a combination of
by an agentless solution, but still data – from the Kaspersky both applications – you’ll be able to control them both from one unified
uses far less processing power and Security Network. management console, which means:
storage capacity than a traditional
agent-based solution. When you deploy Kaspersky Security • If you migrate from VMware to Citrix, Microsoft to VMware or Citrix to
for Virtualization | Light Agent, Microsoft, you’ll still be able to use the same management console.
Kaspersky Security for there’s no need to reboot any
Virtualization | Light Agent delivers: machines – or put the host server • Because the same management console also controls Kaspersky Lab’s
into maintenance mode – so agent-based security solutions – including Kaspersky Endpoint Security
• Advanced anti-malware Kaspersky Lab’s light agent solution for Business and Kaspersky Total Security for Business – Kaspersky Lab
protection. can help you to make “five nines” makes it easier for you to migrate from physical to virtual environments
• Advanced network-level (99.999%) uptime a reality. at the pace that best suits your business.
protection – using, HIPS, firewall
and Kaspersky’s Network Attack Again, scanning storms, update Kaspersky Security Center helps you to manage Kaspersky Lab’s security
Blocker technology. storms and instant on gaps and systems management technologies across physical, virtual and
• Application Control – to help are also eliminated. mobile devices.
you manage which applications
are allowed to launch. KASPERSKY ENDPOINT SECURITY FOR BUSINESS
• Device Control – so you
For those rare instances when you need to run a full security agent on
can manage how removable
your virtual machines, you can choose from one of the tiers of Kaspersky
devices are permitted access
Endpoint Security for Business – or our ultimate business security solution,
to your systems.
Kaspersky Total Security for Business.
20 21
MAX’S STRATEGY TIPS –
FOR SECURE VIRTUALIZATION

“The cost savings and operational benefits offered by virtualization can be very • Carefully review the available security technologies, including:
compelling – but there are a few things to bear in mind when you’re putting – Agent-based.
together your project strategy . . . if you’re going to maintain the security of your – Agentless.
company’s systems and information.” – Light Agent.

• Make sure security is considered at the very outset of any potential • Choose a security solution that will accommodate changes in the
virtualization project. If your company’s virtualization roll-out plans virtualization software that you’re running. If you’re using VMware
don’t include security – that’s an incomplete and insecure strategy. now, but you later move to Citrix, you’ll want to avoid the expense of
having to buy new security software licenses and also having to
• When you’re assessing which virtualization platform is right for your retrain on the use of a new security package.
project, make sure you also consider how that platform will affect
your security options. • Assess how well your chosen virtualization security software
is integrated with other security technologies. Higher levels
• Consider starting by replicating all of the security policies you currently of integration will mean a much lower load on your IT
apply to your physical IT infrastructure – to your new virtual environment. administration resources.

• Assess each project – and its security requirements – before setting • To ease the burden on your IT security and IT administration teams,
targets for performance and consolidation ratios. choose a security solution that enables you to control multiple
security technologies and functions from a single
management console.

22 23
LEARN MORE ABOUT
VIRTUALIZATION SECURITY
Kaspersky Lab is the world’s largest privately held vendor of
endpoint protection solutions. The company is ranked among the
world’s top four vendors of security solutions for endpoint users.*
Throughout its more than 17-year history Kaspersky Lab has
remained an innovator in IT security and provides effective digital
security solutions for large enterprises, SMBs and consumers.
Kaspersky Lab, with its holding company registered in the United
Kingdom, currently operates in almost 200 countries and
territories across the globe, providing protection for over
400 million users worldwide.

Call Kaspersky Lab today at 866-563-3099 or email us at

[email protected].

Visit kaspersky.com/business to find out more or have a look

at our additional content around Virtualization Security.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by
Vendor, 2013. The rating was published in the IDC report “Worldwide Endpoint Security
2014–2018 Forecast and 2013 Vendor Shares” (IDC #250210, August 2014). The report ranked
software vendors according to earnings from sales of endpoint security solutions in 2013.

© 2015 Kaspersky Lab ZAO. All rights reserved. Registered trademarks

and service marks are the property of their respective owners.