In 2007, the big question about virtualization in data centers was "How much money and time will this save us?" In 2008, the big question will be "How secure are we?"
It's an extremely tough question to answer. A slew of vendors and consultants trying to sell security products and services have conflicting opinions about the risks and how to prevent them. Simultaneously, some security researchers are hyping theoretical risks such as the possible emergence of malware targeted at hypervisors (a threat that has yet to appear in the real world). "There's a lot of noise out there on virtualization," says Chris Wolf, senior analyst for market research firm Burton Group. "It can be distracting."
Adding fuel to the hype is that fact that many IT organizations say they prioritized operational speed over most other factors, including security planning, when they started creating hundreds of new VMs in 2007. (That's not surprising, when you consider that most enterprises started with virtualization on their testing and application development boxes, not their servers running core business apps.)
"We're finding security is the forgotten stepchild in the virtualization build out," says Stephen Elliott, IDC's research director for enterprise systems management software. "That's scary when you think about the number of production-level VMs." According to IDC, 75 percent of companies with 1,000 or more employees are employing virtualization today.
And through 2009, 60 percent of production VMs will be less secure than their physical counterparts, Gartner VP Neil MacDonald predicted in a presentation at Gartner's October 2007 Symposium/ITxpo.
But much of the discussion about virtualization security has been flawed to date, says security expert Chris Hoff, because people often frame the discussion by asking whether virtual servers are more or less secure than physical ones.
That's the wrong question, says Hoff, who blogs frequently on this topic and serves as chief architect for security innovation at Unisys. The right question, he says, is "Are you applying what you already know about security to your virtualized environment?"
"People get wound up about theoreticals…when in reality there's a clear set of things you can do today," Hoff says. Certainly, virtualization does introduce some new security concerns, but first things first, he says: "We have to be pragmatic. Let's make sure we architect the virtual network as well as we architect the physical networking."
As an example, he points to a virtualization management tool such as VMware's VMotion, which is helpful for moving VMs around in times of machine trouble, but which can also allow someone with admin rights to combine two VMs that, in the physical world, would have been carefully separated in terms of network traffic for security reasons.
Some IT organizations are making a fundamental mistake right now: They're letting the server group run the virtualization effort almost single-handedly—leaving the IT team's security, storage and networking experts out of the loop. This can create security problems that have nothing to do with inherent weaknesses of the virtualization technology or products. "This is a perfect opportunity to bring the teams together," Hoff says.
"Virtualization is 90 percent planning," says Burton Group's Wolf. "The planning has to include the whole team, including the network, security and storage teams."
But the fact is, most IT teams ran fast with virtualization and now must play catch-up. What if you missed that opportunity to plan with all your experts, and you're starting to worry more as you expand your number of VMs and put higher-profile apps on those VMs?
"To catch up, start with a good audit of your virtual infrastructure," using tools or consultants, Wolf says. "Then you really have to work backwards." (Wolf suggests checking out audit tools from CiRBA and PlateSpin for this purpose.)
Here are 10 positive steps enterprises can take now to tighten virtualization security: