Treasury Inspector General for Tax Administration
November 18, 2013
TIGTA - 2013-44
Contact: David Barnes
WASHINGTON – The Internal Revenue Service (IRS) needs to ensure the security of its virtual servers, a new report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA) concludes.
Server virtualization is a technology that allows several “virtual” servers to run on one physical host, or server. The conversion of physical servers to virtual servers improves hardware utilization, saves on electricity, and reduces server replacement costs.
The overall objective of this review was to determine whether the IRS’s virtual environment is secure.
TIGTA’s report found that the IRS has developed a comprehensive policy establishing the minimum security controls to prevent unauthorized access to IRS information systems hosted in its virtual environment. A successful attack against a host can compromise all of the virtual servers residing on that host.
Although the IRS has established processes to monitor its virtual infrastructure, TIGTA found that security configuration settings on hosts were not in accordance with IRS policy. In addition, audit logs for the hosts were not collected and reviewed as required by IRS policy. Until an automated monitoring tool is implemented, the IRS will not be able to effectively monitor and maintain security configurations that are needed to secure the IRS virtual infrastructure and the sensitive information that resides on it.
TIGTA recommended that the Chief Technology Officer ensure that the IRS: 1) implements automated monitoring to ensure that host settings remain in compliance with configuration standards; 2) applies software patches to hosts timely in accordance with IRS policy; and 3) implements audit log collection and review accordance with IRS policy.
The IRS agreed with all of TIGTA’s recommendations and plans to: 1) procure and/or develop an automated tool, or adapt existing monitoring infrastructure, to report virtual host compliance;
2) apply patches to hosts timely in accordance with IRS policy; and 3) develop audit plans and implement log file collection and review for the hosts.
Read the report.
Note: The difference between the date TIGTA issues an audit report to the Internal Revenue Service and the date TIGTA publicly releases the report is due to TIGTA's internal review process to ensure that public release is in compliance with Federal confidentiality laws.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.