With VMworld in full swing, virtualization security is at the tip of some people's tongues. Based on a new paper from RSA and some user surveys, IT pros are advised to keep security high on their list of concerns when it comes to virtualized environments.
In some ways, the virtualization security market may be in a good news, bad
The good news: More tools are appearing that focus on securing virtual
environments. The bad news: Many may not be making their way into the IT
infrastructure. A survey by Nemertes Research found that only 10 percent of
organizations have deployed virtualization security technology, and 70
percent of respondents have no plans to do so in the next three years.
A separate survey
by identity management vendor Centrify
also provided a glimpse into the
mindset surrounding virtual security. According to the study, 55
percent of the 480 respondents said they had virtualization
but were proceeding with deployments anyway. It is
against that backdrop that IT pros are flooding the VMworld conference in San
Francisco Aug. 31 to Sept. 3.
read about securing virtual environments in the face of audits, click here.
"The biggest mistake is that organizations are failing to appreciate
how little visibility or control into [and] over the security of the
virtualized environment they really have," Scott Crawford, an analyst with
Enterprise Management Associates, said in an e-mail interview. "Because
virtualization offers a lot of inherent security benefits (such as VM [virtual
machine] isolation), and because threats that target virtualization
specifically have yet to make a significant appearance 'in the wild,'
organizations are moving aggressively to take advantage of the business
benefits of virtualization with limited investment in proactive or preventive
To help organizations deal with security concerns, RSA
security division of VMware parent company EMC-released
some new advice to help
organizations meet the security and compliance needs of virtual environments.
(PDF) In a paper entitled "Security Compliance in a Virtual World," the
authors touch on subjects such as platform hardening, administration access
control, and configuration and change management using VMware's management and
The paper emphasizes the importance of learning how to harden
virtualization software using guides from the Center for Internet Security,
Defense Information Systems Agency and an organization's respective
virtualization vendor. In addition, organizations should pay attention to the
speed of changes enabled by virtualization, VM mobility and offline VMs coming
online. As servers and networks are consolidated within the virtualization
infrastructure, the paper recommends the use of fine-grained access control to
ensure separation of duties between administrator roles within the
"The lag in a mature approach to virtual systems management has been
one of the biggest roadblocks of all to taking full advantage of
virtualization," Crawford said. "This is a symptom of enthusiasm for
the vision running up against the hard wall of reality. Vendors and enterprises
alike are still coming to grips with this reality-no small thing considering
the central role virtualization plays in even grander ambitions such as cloud computing."
Forty-six percent of the respondents to the Centrify
survey counted security
as the leading reason virtualization adoption could be slowed. Bolting security
on after the fact doesn't always work out, Frank Cabri, vice president of
marketing at Centrify, told eWEEK in an e-mail.
"There can be technical challenges with this, or even operational
challenges," Cabri said. "Security-in the form of access controls,
segregation of duties and the like-should be built into virtualization
deployments whenever possible. It's often less expensive in the long run, and