In this tough economic environment, we are always on the lookout for opportunities to do more with less. In my last post, I pointed you to two free tools to help locate rogue SharePoint sites. Keeping with the theme, here’s some free tools for virtualization security.
There are multiple security issues that need to at least considered before undertaking a widespread virtualization initiative. Of the dozens of best practices for securing virtualization, a foundational best practice is to define your own standard(s) for secure configuration of the layer of virtualization software (the hypervisor and the virtual machine monitor) and regularly ensure that the virtualization layer is configured according to your standards.
At least two vendors are providing some capabilities to do this at no cost for VMware’s ESX: Tripwire’s ConfigCheck (Tripwire is best known for file integrity monitoring, but also has configuration management capabilities) and Configuresoft’s Compliance Checker for VMware ESX.
Free is not a sustainable business model, so there are some limitations to the tools. For example, limiting the number of servers scanned or limiting scans to compare against just the VMware or Center for Internet Security hardening guidelines (the idea is to get you to upgrade to an enterprise version where you can expand and modify the configuration definitions).
Of course, doing nothing is also free, but like any enterprise IT platform, we have a responsibility to make sure the virtualization platform has a configuration and vulnerability management process defined and followed.
If you are checking configurations manually or not at all, free tools are a good way to get started.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.