Aside from "the hypervisor has never been compromised," virtualization platform makers aren't likely to talk too much about security concerns. Impediments to selling lots of licenses fast-such as questions about securing a virtualized IT infrastructure-are about as welcome as flies at a picnic.
However, for IT managers who are rolling out virtual servers and networks in the data center, security should be a chart-topping concern with a bullet.
For one thing, virtualization platforms have made it far easier and much faster to create and deploy servers and applications than was possible when physical limitations governed system rollouts. For another, security tools and practices that worked in the physical world can be seriously compromised by the very qualities that make virtual machines so appealing-mobility across physical resources, demand-based provisioning such that server resources appear and disappear at a rate never seen in the physical world, high utilization of individual physical server resources, and the blurring of roles between systems and network management.
The data center network perimeter is an important security boundary. However, the traditional-and now I must add physical-character of the network perimeter is subject to increased stress by the rate and quantity of change inside the data center that have been brought about by x86 server virtualization.
Increased stress is created by the sheer proliferation of VMs. Creating security policy for applications on physical systems was hard enough to keep on top of. With the time needed to deploy a new server reduced from weeks to hours, network security personnel must interject to ensure that these swiftly made systems don't start leaking data or carrying malware just as quickly.
Security stress is also created by the rapid movement of systems inside the data center. Physical systems could be relied upon to stay put--the very antithesis of VM productivity. When a VM moves today, it is far from certain that the security policies that govern how that resource is protected will move with it.
Finally, stress is placed on traditional security methods because virtualization breaks down walls between the traditional silos of system, application and network specialties, with security a distant after-thought in the gold rush-like dash to take advantage of the tremendous economic savings of x86 server virtualization.
The plodding methodology of adding a physical server to the data center was due in part to the fact that a truck had to deliver a piece of hardware. In addition, that hardware had to be physically connected to the network, which meant that the systems people-who have some knowledge but usually no access to network equipment configuration-had to interact with other IT staff.
Let's face it, having a second or even third (the applications group) set of eyes on the process likely increased the care with which new systems were put in place. With virtualization, it is possible to have a single IT technician instantiate a new system fully provisioned in the virtual switch in a matter of minutes and with no other oversight. Given the fragile and complex nature of IT infrastructure, that is a stressful event.
What can stay the same, what needs to change and where virtualization improves security are key considerations with which IT managers must contend. The answers to all of these questions are contested, and no clear winning product or strategy has been yet declared.
However, some trends and practices are emerging that portend the future.
Traditional security tool vendors are beginning to shape their wares for the virtual world. Microsoft, after suffering a decade of criticism over the insecurity of its Windows operating system, has taken pains to ensure that security is in the DNA of its virtualization offerings. In addition, VMware, the 800-pound gorilla of virtualization, is advancing VMsafe based on APIs that enable secure operation of its platform.