VMware, Microsoft and others are rolling out safeguards for virtualized IT infrastructures, but are they enough in the quickly changing data center?
Aside from "the
hypervisor has never been compromised," virtualization platform makers aren't
likely to talk too much about security concerns. Impediments to selling lots of
licenses fast-such as questions about securing a virtualized IT infrastructure-are
about as welcome as flies at a picnic.
However, for IT
managers who are rolling out virtual servers and networks in the data center,
security should be a chart-topping concern with a bullet.
For one thing,
virtualization platforms have made it far easier and much faster to create and
deploy servers and applications than was possible when physical limitations
governed system rollouts. For another, security tools and practices that worked
in the physical world can be seriously compromised by the very qualities that
make virtual machines so appealing-mobility across physical resources,
demand-based provisioning such that server resources appear and disappear at a
rate never seen in the physical world, high utilization of individual physical
server resources, and the blurring of roles between systems and network management.
Shavlik NetChk Protect 6.5 enables offline VM patching. Check out eWEEK Labs' findings.
The data center
network perimeter is an important security boundary. However, the
traditional-and now I must add physical-character of the network perimeter is
subject to increased stress by the rate and quantity of change inside
the data center that have been brought about by x86 server virtualization.
Increased stress is created
by the sheer proliferation of VMs. Creating security policy for applications on
physical systems was hard enough to keep on top of. With the time needed to
deploy a new server reduced from weeks to hours, network security personnel
must interject to ensure that these swiftly made systems don't start leaking
data or carrying malware just as quickly.
Security stress is
also created by the rapid movement of systems inside the data center. Physical
systems could be relied upon to stay put--the very antithesis of VM
productivity. When a VM moves today, it is far from certain that the security
policies that govern how that resource is protected will move with it.
Finally, stress is
placed on traditional security methods because virtualization breaks down walls
between the traditional silos of system, application and network specialties,
with security a distant after-thought in the gold rush-like dash to take
advantage of the tremendous economic savings of x86 server virtualization.
methodology of adding a physical server to the data center was due in part to
the fact that a truck had to deliver a piece of hardware. In addition, that
hardware had to be physically connected to the network, which meant that the
systems people-who have some knowledge but usually no access to network
equipment configuration-had to interact with other IT staff.
Let's face it,
having a second or even third (the applications group) set of eyes on the
process likely increased the care with which new systems were put in place.
With virtualization, it is possible to have a single IT technician instantiate
a new system fully provisioned in the virtual switch in a matter of minutes and
with no other oversight. Given the fragile and complex nature of IT infrastructure,
that is a stressful event.
What can stay the
same, what needs to change and where virtualization improves security are key
considerations with which IT managers must contend. The answers to all of these
questions are contested, and no clear winning product or strategy has been yet
However, some trends
and practices are emerging that portend the future.
tool vendors are beginning to shape their wares for the virtual world.
Microsoft, after suffering a decade of criticism over the insecurity of its
Windows operating system, has taken pains to ensure that security is in the DNA of
its virtualization offerings. In addition, VMware, the 800-pound gorilla of virtualization,
is advancing VMsafe based on APIs that enable secure operation of its platform.