TIGTA Report: IRS Needs to Make Virtual Servers More Secure

By Jason Bramwell
 
The IRS has made significant strides in expanding its virtual environment, but more attention is needed to ensure its virtual server configurations are secure, according to a report released publicly November 18 by the Treasury Inspector General for Tax Administration (TIGTA).
 
Server virtualization is a technology that allows several virtual servers to run on one physical host or server. The conversion of physical servers to virtual servers improves hardware utilization, saves on electricity, and reduces server replacement costs. Vulnerabilities in the virtual infrastructure could put taxpayer data at risk of unauthorized disclosure or loss. 
 
TIGTA's objective for its report, Automated Monitoring Is Needed for the Virtual Infrastructure to Ensure Secure Configurations, was to determine whether the IRS' virtual environment is secure.
 
"The IRS developed a comprehensive policy that defines the minimum security controls needed to safeguard its virtual environment. The purpose of the policy is to protect its critical infrastructure and assets against attacks that exploit virtualization and to prevent unauthorized access to IRS information systems hosted in the virtual environment," TIGTA stated in the report. "The IRS has been successful in its continued efforts to expand its virtual environment. As a result, the IRS has improved server efficiency and realized cost savings. However, as the IRS continues on this course and more IRS data are maintained in its virtual environment, the IRS must remain vigilant in regard to virtual security." 
 
Although the IRS has established processes to monitor its virtual infrastructure, TIGTA found that security configuration settings on hosts were not in accordance with IRS policy.
 
TIGTA tested sixteen hosts and found that twelve (43 percent) of twenty-eight required security controls were failed by three or more hosts. In addition, ten (63 percent) of the sixteen hosts were missing a total of forty-eight security patches. Also, audit logs for the hosts were not collected and reviewed as required by IRS policy. 
 
"IRS policy requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Auditable events must be captured for all IRS systems," TIGTA stated in the report. "Without the proper capture and review of administrator activity, accountability for actions taken on hosts cannot be established, and unauthorized activity may go undetected." 
 
TIGTA made the following three recommendations to IRS Chief Technology Officer Terence Milholland: 
  1. Implement an automated tool to ensure that host and the Virtual Center (vCenter) centralized management tool settings remain in compliance with configuration standards. 
  2. Timely apply patches to hosts in accordance with IRS policy.
  3. Implement audit log collection and review on hosts and vCenters in accordance with IRS policy.
The IRS agreed with all of TIGTA's recommendations and plans to procure and/or develop an automated tool, or adapt existing monitoring infrastructure, to report virtual host and vCenter compliance. Patches also will be applied to hosts in a timely manner in accordance with IRS policy. In addition, the IRS will develop audit plans and implement log file collection and review for both the hosts and vCenters. 
 
"We are confident that our routine support practices for our virtual server environment are providing a sound operating environment," Milholland wrote in response to the TIGTA report. 
 
Related articles:
 

You may like these other stories...

Former DOJ Tax Division head Kathryn Keneally joining DLA Piper in New YorkGlobal law firm DLA Piper announced on Thursday that Kathryn Keneally, the former head of the US Justice Department Tax Division, is joining the firm...
OECD calls for coordinated fight against corporate tax avoidanceDavid Jolly of the New York Times reported that dozens of countries with the most advanced economies have agreed on principles for concrete action to prevent...
Plan ahead before you buy some shares in a stock mutual fund near yearend, when the fund is about to pay a dividend. It might be better to wait until after the fund goes "ex-dividend," that is, wait until after the...

Already a member? log in here.

Upcoming CPE Webinars

Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
Sep 30
This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
Oct 21
Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
Oct 23
Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.