When Virtualization Is Safer

By Cameron Sturdevant  |  Posted 2008-09-15 Print this article Print

It is thought that the introduction of any software increases the risk that the system will be compromised. While I agree in theory, it has been the case thus far that in the relatively short life of the hypervisor, it has proved to be much less susceptible to fault and compromise than nearly any application-and certainly the Windows operating system.

The isolated VM environment in the hypervisor platform is key to the high rates of physical-to-virtual server consolidation, and as a by-product makes it possible to securely run more than one application on the same physical server.     A security area that bears watching is best practice guides for putting VMs of differing security requirements on the same physical host. Enterprises may want to keep only VMs that process regulated data, such as credit card information, on physical systems that process similar information. Likely a better best practice guide is to keep systems with low security value clumped together regardless of function, while concentrating high-value VMs on physical equipment that is correspondingly designed for high availability. Keeping high-value systems together makes it easier to allocate security resources, such as policy development, to these systems.

Also worth noting are security developments among virtualization platform vendors. In February, VMware announced VMsafe, an initiative to improve secure operation of virtual infrastructure while also helping to reduce the amount of virtualization resources devoted to this task. 

VMsafe is a set of APIs developed by VMware that enable third-party vendors to monitor and control network traffic to and from virtual machines, as well as data on each VM at the server level.  Data can be used by security vendors to perform security analysis without the need to sit in-line at the network level or to reside on each server (VM).  

The VMsafe initiative is designed to simplify the security integration and optimize solutions to use fewer host resources and provide overall host-based and network-based security. VMsafe technology is still in the early stages of readiness.

Symantec and McAfee, along with other third-party security tool makers, are in the early stages of implementing tools that use the increased access to APIs in VMware's Virtual Infrastructure. IT managers should watch developments in this promising arena. However, if third-party tools don't make significant progress by the first anniversary of the initiative, then a reassessment of the program will likely be in order.

Based on my recent work with Microsoft's Hyper-V, security has moved from an add-on to a core feature at the company noted for releasing security and product patches on the second Tuesday of every month. In both the Hyper-V line and in the recently released Application Virtualization product, Microsoft has put secure operations at the center of product implementation. IT managers should watch here to see if the security implementation practices get easier to implement over time, as my work showed that a fair amount of time is required to fully configure the security bells and whistles.


Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel