TIGTA Report: IRS Needs to Make Virtual Servers More Secure
by Terri Eyden on
By Jason Bramwell
The IRS has made significant strides in expanding its virtual environment, but more attention is needed to ensure its virtual server configurations are secure, according to a report released publicly November 18 by the Treasury Inspector General for Tax Administration (TIGTA).
Server virtualization is a technology that allows several virtual servers to run on one physical host or server. The conversion of physical servers to virtual servers improves hardware utilization, saves on electricity, and reduces server replacement costs. Vulnerabilities in the virtual infrastructure could put taxpayer data at risk of unauthorized disclosure or loss.
TIGTA's objective for its report, Automated Monitoring Is Needed for the Virtual Infrastructure to Ensure Secure Configurations, was to determine whether the IRS' virtual environment is secure.
"The IRS developed a comprehensive policy that defines the minimum security controls needed to safeguard its virtual environment. The purpose of the policy is to protect its critical infrastructure and assets against attacks that exploit virtualization and to prevent unauthorized access to IRS information systems hosted in the virtual environment," TIGTA stated in the report. "The IRS has been successful in its continued efforts to expand its virtual environment. As a result, the IRS has improved server efficiency and realized cost savings. However, as the IRS continues on this course and more IRS data are maintained in its virtual environment, the IRS must remain vigilant in regard to virtual security."
Although the IRS has established processes to monitor its virtual infrastructure, TIGTA found that security configuration settings on hosts were not in accordance with IRS policy.
TIGTA tested sixteen hosts and found that twelve (43 percent) of twenty-eight required security controls were failed by three or more hosts. In addition, ten (63 percent) of the sixteen hosts were missing a total of forty-eight security patches. Also, audit logs for the hosts were not collected and reviewed as required by IRS policy.
"IRS policy requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Auditable events must be captured for all IRS systems," TIGTA stated in the report. "Without the proper capture and review of administrator activity, accountability for actions taken on hosts cannot be established, and unauthorized activity may go undetected."
TIGTA made the following three recommendations to IRS Chief Technology Officer Terence Milholland:
- Implement an automated tool to ensure that host and the Virtual Center (vCenter) centralized management tool settings remain in compliance with configuration standards.
- Timely apply patches to hosts in accordance with IRS policy.
- Implement audit log collection and review on hosts and vCenters in accordance with IRS policy.
The IRS agreed with all of TIGTA's recommendations and plans to procure and/or develop an automated tool, or adapt existing monitoring infrastructure, to report virtual host and vCenter compliance. Patches also will be applied to hosts in a timely manner in accordance with IRS policy. In addition, the IRS will develop audit plans and implement log file collection and review for both the hosts and vCenters.
"We are confident that our routine support practices for our virtual server environment are providing a sound operating environment," Milholland wrote in response to the TIGTA report.
- TIGTA Wants IRS to Improve Security Risk Assessments
- TIGTA Says IRS Efforts on International Tax Compliance Succeeding
You may like these other stories...
IRS audits less than 1 percent of big partnershipsAccording to an April 17 report from the Government Accountability Office (GAO), the IRS audits fewer than 1 percent of large business partnerships, Stephen Ohlemacher of the...
Legislation coming out of Washington just might reduce homeowners' burden for disaster insurance. It's a topic very much on everyone's minds since the mudslide in Oso, Washington. The loss of human life was...
Divorce is hard, and the IRS isn't going to make it any easier. The IRS generally says "no" to tax deductions that might ease the pain of divorce. In certain circumstances, however, you might be able to salvage...
Upcoming CPE Webinars
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.