When Virtualization Is Safer
It is thought that the introduction of any software increases the risk that the system will be compromised. While I agree in theory, it has been the case thus far that in the relatively short life of the hypervisor, it has proved to be much less susceptible to fault and compromise than nearly any application-and certainly the Windows operating system. The isolated VM environment in the hypervisor platform is key to the high rates of physical-to-virtual server consolidation, and as a by-product makes it possible to securely run more than one application on the same physical server. A security area that bears watching is best practice guides for putting VMs of differing security requirements on the same physical host. Enterprises may want to keep only VMs that process regulated data, such as credit card information, on physical systems that process similar information. Likely a better best practice guide is to keep systems with low security value clumped together regardless of function, while concentrating high-value VMs on physical equipment that is correspondingly designed for high availability. Keeping high-value systems together makes it easier to allocate security resources, such as policy development, to these systems.VMsafe is a set of APIs developed by VMware that enable third-party vendors to monitor and control network traffic to and from virtual machines, as well as data on each VM at the server level. Data can be used by security vendors to perform security analysis without the need to sit in-line at the network level or to reside on each server (VM). The VMsafe initiative is designed to simplify the security integration and optimize solutions to use fewer host resources and provide overall host-based and network-based security. VMsafe technology is still in the early stages of readiness. Symantec and McAfee, along with other third-party security tool makers, are in the early stages of implementing tools that use the increased access to APIs in VMware's Virtual Infrastructure. IT managers should watch developments in this promising arena. However, if third-party tools don't make significant progress by the first anniversary of the initiative, then a reassessment of the program will likely be in order. Based on my recent work with Microsoft's Hyper-V, security has moved from an add-on to a core feature at the company noted for releasing security and product patches on the second Tuesday of every month. In both the Hyper-V line and in the recently released Application Virtualization product, Microsoft has put secure operations at the center of product implementation. IT managers should watch here to see if the security implementation practices get easier to implement over time, as my work showed that a fair amount of time is required to fully configure the security bells and whistles.
Also worth noting are security developments among virtualization platform vendors. In February, VMware announced VMsafe, an initiative to improve secure operation of virtual infrastructure while also helping to reduce the amount of virtualization resources devoted to this task.