By Jason Bramwell
The IRS has made significant strides in expanding its virtual environment, but more attention is needed to ensure its virtual server configurations are secure, according to a report released publicly November 18 by the Treasury Inspector General for Tax Administration (TIGTA).
Server virtualization is a technology that allows several virtual servers to run on one physical host or server. The conversion of physical servers to virtual servers improves hardware utilization, saves on electricity, and reduces server replacement costs. Vulnerabilities in the virtual infrastructure could put taxpayer data at risk of unauthorized disclosure or loss.
TIGTA's objective for its report, Automated Monitoring Is Needed for the Virtual Infrastructure to Ensure Secure Configurations, was to determine whether the IRS' virtual environment is secure.
"The IRS developed a comprehensive policy that defines the minimum security controls needed to safeguard its virtual environment. The purpose of the policy is to protect its critical infrastructure and assets against attacks that exploit virtualization and to prevent unauthorized access to IRS information systems hosted in the virtual environment", TIGTA stated in the report. "The IRS has been successful in its continued efforts to expand its virtual environment. As a result, the IRS has improved server efficiency and realized cost savings. However, as the IRS continues on this course and more IRS data are maintained in its virtual environment, the IRS must remain vigilant in regard to virtual security."
Although the IRS has established processes to monitor its virtual infrastructure, TIGTA found that security configuration settings on hosts were not in accordance with IRS policy.
TIGTA tested sixteen hosts and found that twelve (43 percent) of twenty-eight required security controls were failed by three or more hosts. In addition, ten (63 percent) of the sixteen hosts were missing a total of forty-eight security patches. Also, audit logs for the hosts were not collected and reviewed as required by IRS policy.
"IRS policy requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Auditable events must be captured for all IRS systems", TIGTA stated in the report. "Without the proper capture and review of administrator activity, accountability for actions taken on hosts cannot be established, and unauthorized activity may go undetected."
TIGTA made the following three recommendations to IRS Chief Technology Officer Terence Milholland:
- Implement an automated tool to ensure that host and the Virtual Center (vCenter) centralized management tool settings remain in compliance with configuration standards.
- Timely apply patches to hosts in accordance with IRS policy.
- Implement audit log collection and review on hosts and vCenters in accordance with IRS policy.
The IRS agreed with all of TIGTA's recommendations and plans to procure and/or develop an automated tool, or adapt existing monitoring infrastructure, to report virtual host and vCenter compliance. Patches also will be applied to hosts in a timely manner in accordance with IRS policy. In addition, the IRS will develop audit plans and implement log file collection and review for both the hosts and vCenters.
"We are confident that our routine support practices for our virtual server environment are providing a sound operating environment", Milholland wrote in response to the TIGTA report.