TIGTA Report: IRS Needs to Make Virtual Servers More Secure

By Jason Bramwell
 
The IRS has made significant strides in expanding its virtual environment, but more attention is needed to ensure its virtual server configurations are secure, according to a report released publicly November 18 by the Treasury Inspector General for Tax Administration (TIGTA).
 
Server virtualization is a technology that allows several virtual servers to run on one physical host or server. The conversion of physical servers to virtual servers improves hardware utilization, saves on electricity, and reduces server replacement costs. Vulnerabilities in the virtual infrastructure could put taxpayer data at risk of unauthorized disclosure or loss. 
 
TIGTA's objective for its report, Automated Monitoring Is Needed for the Virtual Infrastructure to Ensure Secure Configurations, was to determine whether the IRS' virtual environment is secure.
 
"The IRS developed a comprehensive policy that defines the minimum security controls needed to safeguard its virtual environment. The purpose of the policy is to protect its critical infrastructure and assets against attacks that exploit virtualization and to prevent unauthorized access to IRS information systems hosted in the virtual environment," TIGTA stated in the report. "The IRS has been successful in its continued efforts to expand its virtual environment. As a result, the IRS has improved server efficiency and realized cost savings. However, as the IRS continues on this course and more IRS data are maintained in its virtual environment, the IRS must remain vigilant in regard to virtual security." 
 
Although the IRS has established processes to monitor its virtual infrastructure, TIGTA found that security configuration settings on hosts were not in accordance with IRS policy.
 
TIGTA tested sixteen hosts and found that twelve (43 percent) of twenty-eight required security controls were failed by three or more hosts. In addition, ten (63 percent) of the sixteen hosts were missing a total of forty-eight security patches. Also, audit logs for the hosts were not collected and reviewed as required by IRS policy. 
 
"IRS policy requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Auditable events must be captured for all IRS systems," TIGTA stated in the report. "Without the proper capture and review of administrator activity, accountability for actions taken on hosts cannot be established, and unauthorized activity may go undetected." 
 
TIGTA made the following three recommendations to IRS Chief Technology Officer Terence Milholland: 
  1. Implement an automated tool to ensure that host and the Virtual Center (vCenter) centralized management tool settings remain in compliance with configuration standards. 
  2. Timely apply patches to hosts in accordance with IRS policy.
  3. Implement audit log collection and review on hosts and vCenters in accordance with IRS policy.
The IRS agreed with all of TIGTA's recommendations and plans to procure and/or develop an automated tool, or adapt existing monitoring infrastructure, to report virtual host and vCenter compliance. Patches also will be applied to hosts in a timely manner in accordance with IRS policy. In addition, the IRS will develop audit plans and implement log file collection and review for both the hosts and vCenters. 
 
"We are confident that our routine support practices for our virtual server environment are providing a sound operating environment," Milholland wrote in response to the TIGTA report. 
 
Related articles:
 

You may like these other stories...

There it stands, your client's 100-year-old, rickety, vermin-infested barn or former hotel or whatever the darn thing once was. And she's considering what to do with it. There are two words that can help her decide...
It's not a reality—yet—but accounting software is poised to eliminate accountants. We are at a tipping point for many similar professions: online education replacing professors, legal software replacing...
Did you know that the tax code allows you to claim tax deductions for household damage caused by thefts, vandalism, fires, floods, hurricanes, and others kinds of casualties? But the law imposes several restrictions.Relief...

Upcoming CPE Webinars

Jul 31
In this session Excel expert David Ringstrom helps beginners get up to speed in Microsoft Excel. However, even experienced Excel users will learn some new tricks, particularly when David discusses under-utilized aspects of Excel.
Aug 5
This webcast will focus on accounting and disclosure policies for various types of consolidations and business combinations.
Aug 20
In this session we'll review best practices for how to generate interest in your firm’s services.
Aug 21
Meet budgets and client expectations using project management skills geared toward the unique challenges faced by CPAs. Kristen Rampe will share how knowing the keys to structuring and executing a successful project can make the difference between success and repeated failures.