TIGTA Report: IRS Needs to Make Virtual Servers More Secure

By Jason Bramwell
 
The IRS has made significant strides in expanding its virtual environment, but more attention is needed to ensure its virtual server configurations are secure, according to a report released publicly November 18 by the Treasury Inspector General for Tax Administration (TIGTA).
 
Server virtualization is a technology that allows several virtual servers to run on one physical host or server. The conversion of physical servers to virtual servers improves hardware utilization, saves on electricity, and reduces server replacement costs. Vulnerabilities in the virtual infrastructure could put taxpayer data at risk of unauthorized disclosure or loss. 
 
TIGTA's objective for its report, Automated Monitoring Is Needed for the Virtual Infrastructure to Ensure Secure Configurations, was to determine whether the IRS' virtual environment is secure.
 
"The IRS developed a comprehensive policy that defines the minimum security controls needed to safeguard its virtual environment. The purpose of the policy is to protect its critical infrastructure and assets against attacks that exploit virtualization and to prevent unauthorized access to IRS information systems hosted in the virtual environment," TIGTA stated in the report. "The IRS has been successful in its continued efforts to expand its virtual environment. As a result, the IRS has improved server efficiency and realized cost savings. However, as the IRS continues on this course and more IRS data are maintained in its virtual environment, the IRS must remain vigilant in regard to virtual security." 
 
Although the IRS has established processes to monitor its virtual infrastructure, TIGTA found that security configuration settings on hosts were not in accordance with IRS policy.
 
TIGTA tested sixteen hosts and found that twelve (43 percent) of twenty-eight required security controls were failed by three or more hosts. In addition, ten (63 percent) of the sixteen hosts were missing a total of forty-eight security patches. Also, audit logs for the hosts were not collected and reviewed as required by IRS policy. 
 
"IRS policy requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Auditable events must be captured for all IRS systems," TIGTA stated in the report. "Without the proper capture and review of administrator activity, accountability for actions taken on hosts cannot be established, and unauthorized activity may go undetected." 
 
TIGTA made the following three recommendations to IRS Chief Technology Officer Terence Milholland: 
  1. Implement an automated tool to ensure that host and the Virtual Center (vCenter) centralized management tool settings remain in compliance with configuration standards. 
  2. Timely apply patches to hosts in accordance with IRS policy.
  3. Implement audit log collection and review on hosts and vCenters in accordance with IRS policy.
The IRS agreed with all of TIGTA's recommendations and plans to procure and/or develop an automated tool, or adapt existing monitoring infrastructure, to report virtual host and vCenter compliance. Patches also will be applied to hosts in a timely manner in accordance with IRS policy. In addition, the IRS will develop audit plans and implement log file collection and review for both the hosts and vCenters. 
 
"We are confident that our routine support practices for our virtual server environment are providing a sound operating environment," Milholland wrote in response to the TIGTA report. 
 
Related articles:
 

You may like these other stories...

Starting in October, the IRS will send warning letters to tax return preparers who appear not to be complying with Earned Income Tax Credit (EITC) due diligence requirements.Section 6695(g) of the Internal Revenue Code...
BKD LLP adds Illinois accounting firm Wolf & Co.Springfield, Missouri-based CPA and advisory firm BKD LLP and Chicago-based accounting firm Wolf & Co. have agreed to merge, the firms announced on Monday. Wolf will...
A new government report on Monday found that the IRS may not be completing the required research steps in collecting delinquent taxes before considering the cases “not collectible.”The Treasury Inspector General...

Already a member? log in here.

Upcoming CPE Webinars

Oct 9In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards.
Oct 15This webinar presents the requirements of AU-C 600, Audits of Group Financial Statements (Including the Work of Component Auditors).
Oct 21Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience’s communication style.
Oct 23Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.