Real Risks Inside Every Virtual Box
- 07 March, 2008 15:19
- Comments
VIRTUALIZATION | Last year, the big question about virtualization in data centres was: "How much money and time will this save us?" This year, the big question will be: "How secure are we?"
It's an extremely tough question to answer. A slew of vendors and consultants trying to sell security products and services have conflicting opinions about the risks and how to prevent them. Simultaneously, some security researchers are hyping theoretical risks such as the possible emergence of malware targeted at hypervisors (a threat that has yet to appear in the real world). "There's a lot of noise out there on virtualization," says Chris Wolf, senior analyst for market research firm Burton Group. "It can be distracting."
Adding fuel to the hype is that fact that many IT organizations say they prioritized operational speed over most other factors, including security planning, when they started creating hundreds of new VMs in 2007. (That's not surprising, when you consider that most enterprises started with virtualization on their testing and application development boxes, not their servers running core business apps.)
"We're finding security is the forgotten stepchild in the virtualization build-out," says Stephen Elliott, IDC's research director for enterprise systems management software. "That's scary when you think about the number of production-level VMs." According to IDC, 75 percent of companies with 1000 or more employees are employing virtualization today.
And through 2009, 60 percent of production VMs will be less secure than their physical counterparts, Gartner VP Neil MacDonald predicted in a presentation at Gartner's October 2007 Symposium/ITxpo.
But much of the discussion about virtualization security has been flawed to date, says security expert Chris Hoff, because people often frame the discussion by asking whether virtual servers are more or less secure than physical ones.
That's the wrong question, says Hoff, who blogs frequently on this topic and serves as chief architect for security innovation at Unisys. The right question, he says, is: "Are you applying what you already know about security to your virtualized environment?"
"People get wound up about theoreticals . . . when in reality there's a clear set of things you can do today," Hoff says. Certainly, virtualization does introduce some new security concerns, but first things first, he says. "We have to be pragmatic. Let's make sure we architect the virtual network as well as we architect the physical networking."
As an example, he points to a virtualization management tool such as VMware's VMotion, which is helpful for moving VMs around in times of machine trouble, but which can also allow someone with admin rights to combine two VMs that, in the physical world, would have been carefully separated in terms of network traffic for security reasons.
Some IT organizations are making a fundamental mistake right now: They're letting the server group run the virtualization effort almost single-handedly - leaving the IT team's security, storage and networking experts out of the loop. This can create security problems that have nothing to do with inherent weaknesses of the virtualization technology or products. "This is a perfect opportunity to bring the teams together," Hoff says.
"Virtualization is 90 percent planning," says Burton Group's Wolf. "The planning has to include the whole team, including the network, security and storage teams."
But the fact is, most IT teams ran fast with virtualization and now must play catch-up. What if you missed that opportunity to plan with all your experts, and you're starting to worry more as you expand your number of VMs and put higher-profile apps on those VMs?
"To catch up, start with a good audit of your virtual infrastructure," using tools or consultants, Wolf says. "Then you really have to work backwards." (Wolf suggests checking out audit tools from CiRBA and PlateSpin for this purpose.)
Here are 10 positive steps enterprises can take now to tighten virtualization security.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Social networking security in the workplace
-
Facebook stock slumps for third day
-
Dell's profit shrinks in the first quarter
-
How to design a successful RACI project plan
-
Technology top for CEOs
-
IDC Whitepaper: Generating Proven Business Value with EMC Next-Generation Backup and Recovery
IDC interviewd ten companies that have deployed EMC backup and recovery solutions, including EMC Data Domain and EMC Avamar. Some of the customers also had EMC NetWorker. The purpose was to identify and quantify the resulting business value of each project, in order to calculate a cumulative return on investment. Read on. -
10 Essential Steps to Web Security
This short guide outlines 10 simple steps to best practice in web security. Follow them all to step up your organisation’s information security and stay ahead of your competitors. But remember that the target never stands still. Focus on the principles behind the steps – policy, vigilance, simplification, automation and transparency – to keep your information security bang up to date. -
Pathways Advanced ICT Leadership Development Program Brochure and Course Outline 2012
Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment