What Must Change
What is already clear in the nascent world of data center VM security is that the processor resource is the currency that governs security tools. Security products that consume even 2 to 3 percent of CPU per VM will likely soon be too expensive to implement. This is due to the cumulative cost of security-for example, on a physical host with four VMs, each protected with a security agent that uses 3 percent of physical CPU (for a total of 12 percent)-when the physical server CPU utilization rate is now expected to be 70 to 80 percent. Adding the security overhead, the already sizable load on the physical CPU is a very hefty penalty. Aside from CPU cycles, security policy will have to be adapted to face the new reality imposed by VM proliferation, spontaneity (sometimes online, sometimes not) and mobility. It is very likely that IT managers will have to increase the number and expertise of security personnel devoted to security policy creation and maintenance as the percentage of VMs increase in the data center. This is because security policy-usually defined as who is supposed to be able to access what resource with an allowed and expected outcome-is difficult under the best of circumstances. As I've outlined, the premise and current implementation of VM technology has created the opposite of the best circumstances for security policy development.