Virtualization security is not just about securing the virtual network, nor is it just about securing the virtualization server operating system.
It is about realizing that a virtualization server is a hybrid device, whether it be VMware Virtual Infrastructure 3, VMware Server, VMware Workstation, Citrix XenServer or Microsoft Hyper-V.
Virtualization servers are a mix of a hypervisor device (OS), a networking device (bridge or switch) and a storage interface.
Currently, security folks know how to harden an OS and/or they know how to protect a network bridge or switch appliance. Few know how to do both simultaneously, or how to deal with the hpervisor as a complicating factor.
Do you need a high priced virtualization security expert to do this? These experts are few and far between and you probably don’t need them. What you do need is the ability to pool all your security expertise in one group and educate them on the realities of virtualization. You need to remove the barriers and fiefdoms that spring up around IT and let these folks work together.
There is often a combative and not synergistic approach when groups deal with virtualization administrators.
For example, it can be tough getting storage teams to properly layout the LUNs (logical unit numbers) involved with virtualization servers; getting network administrators to set network speeds and configure ports for virtual-server hosts, or even getting OS security administrators to understand what tools they actually need instead of requesting unnecessary access and applications.
The combative nature that prevents this kind of cooperation often stems from not only organizational issues, but also the need for a virtualization administrator to act as an administrator for storage, security and networks.
Since a virtualization server covers all three areas, virtual-server administrators need to fully understand all three, or have the help of teams from storage, security, network, and operations. While it may be possible for one person to learn everything in these arenas, it is better to utilize the existing expertise.
The answer to fixing this IT staff problem: Educate all IT teams in the realities of virtualization. Virtualization is here to stay; it is not a fad; it is a reality. Whether this is by purchasing virtualization books for your IT teams, or by providing training for your team members, somehow all teams need to speak the same language, and this includes the virtualization administrator.
The virtualization administrator is the glue that makes it all possible, so he or she also needs education in order to speak the language used by the other teams. Otherwise, you get the ‘You do not know what you are talking about’ approach to teamwork.
Education must start at the top. Most C-Level people employing virtualization already understand the benefits. But the top IT people within a corporation must have more technical training.
Specifically, security specialists must understand how VMs are different from physical servers or security decisions will be based on outdated and inaccurate information. Fixing those mistakes requires expensive help in the form of one of the few available big-gun virtualization security consultants.
The IT playing field has shifted to a more integrated world where IT fiefdoms and protections are no longer valid and should be dismantled.
To me, not learning all you can about virtualization is a career-limiting move.
Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.