Real Risks Inside Every Virtual Box

VIRTUALIZATION | Last year, the big question about virtualization in data centres was: "How much money and time will this save us?" This year, the big question will be: "How secure are we?"

It's an extremely tough question to answer. A slew of vendors and consultants trying to sell security products and services have conflicting opinions about the risks and how to prevent them. Simultaneously, some security researchers are hyping theoretical risks such as the possible emergence of malware targeted at hypervisors (a threat that has yet to appear in the real world). "There's a lot of noise out there on virtualization," says Chris Wolf, senior analyst for market research firm Burton Group. "It can be distracting."

Adding fuel to the hype is that fact that many IT organizations say they prioritized operational speed over most other factors, including security planning, when they started creating hundreds of new VMs in 2007. (That's not surprising, when you consider that most enterprises started with virtualization on their testing and application development boxes, not their servers running core business apps.)

"We're finding security is the forgotten stepchild in the virtualization build-out," says Stephen Elliott, IDC's research director for enterprise systems management software. "That's scary when you think about the number of production-level VMs." According to IDC, 75 percent of companies with 1000 or more employees are employing virtualization today.

And through 2009, 60 percent of production VMs will be less secure than their physical counterparts, Gartner VP Neil MacDonald predicted in a presentation at Gartner's October 2007 Symposium/ITxpo.

But much of the discussion about virtualization security has been flawed to date, says security expert Chris Hoff, because people often frame the discussion by asking whether virtual servers are more or less secure than physical ones.

That's the wrong question, says Hoff, who blogs frequently on this topic and serves as chief architect for security innovation at Unisys. The right question, he says, is: "Are you applying what you already know about security to your virtualized environment?"

"People get wound up about theoreticals . . . when in reality there's a clear set of things you can do today," Hoff says. Certainly, virtualization does introduce some new security concerns, but first things first, he says. "We have to be pragmatic. Let's make sure we architect the virtual network as well as we architect the physical networking."

As an example, he points to a virtualization management tool such as VMware's VMotion, which is helpful for moving VMs around in times of machine trouble, but which can also allow someone with admin rights to combine two VMs that, in the physical world, would have been carefully separated in terms of network traffic for security reasons.

Some IT organizations are making a fundamental mistake right now: They're letting the server group run the virtualization effort almost single-handedly - leaving the IT team's security, storage and networking experts out of the loop. This can create security problems that have nothing to do with inherent weaknesses of the virtualization technology or products. "This is a perfect opportunity to bring the teams together," Hoff says.

"Virtualization is 90 percent planning," says Burton Group's Wolf. "The planning has to include the whole team, including the network, security and storage teams."

But the fact is, most IT teams ran fast with virtualization and now must play catch-up. What if you missed that opportunity to plan with all your experts, and you're starting to worry more as you expand your number of VMs and put higher-profile apps on those VMs?

"To catch up, start with a good audit of your virtual infrastructure," using tools or consultants, Wolf says. "Then you really have to work backwards." (Wolf suggests checking out audit tools from CiRBA and PlateSpin for this purpose.)

Here are 10 positive steps enterprises can take now to tighten virtualization security.

Page Break

1.Get VM Sprawl Under Control

CIOs such as Michael Abbene, who runs IT for Arch Coal, understand the problem of VM sprawl full well: VMs take minutes to create. They're great for isolating certain computing jobs. But the more VMs you have, the more security risk you have. And you'd better be able to keep track of all those VMs.

"We started by virtualizing very low-profile test and development boxes," Abbene says. "Then we moved some low-profile application servers. We've been moving up as we've been successful. We understand we're increasing our risk profile as we do that." The company currently has about 45 production VMs, he notes, including Active Directory servers, and some application and Web servers.

How do you control server sprawl? One approach: Make creating virtualized servers and VMs as disciplined as creating physical ones. At Arch Coal, the IT team is rigorous about allowing new VMs: "People have to go through the same process to get a server, whether it's physical or virtual," says Tom Carter, Arch Coal's Microsoft Systems Administrator, who works for Abbene.

For this purpose, Arch Coal IT uses a change control board (made up of a cross-section of IT staffers from disciplines like servers and storage, serving on a rotating basis) to say yes or no to new virtualized server requests. This means, for example, that people in the applications group can't just build a VMware server and start creating VMs, Abbene says - though he's had developers ask to do just that.

VMware's VirtualCenter management tools as well as tools from Vizioncore can also help manage VM sprawl.

Ignore VM sprawl at your own peril, says IDC's Elliott. "VM sprawl is a huge problem, causing lag times in the ability to manage, maintain performance and provision," he says. Also, unexpected management costs will arise if your number of VMs gets out of hand, he adds.

2.Apply Your Existing Processes to the Virtual Machines

Perhaps the sexiest aspect of virtualization is its speed: You can create VMs in minutes, move them around easily, and deliver new computing power to the business side in a day instead of weeks. It's fun to drive fast. But slow down long enough to think about making virtualization part of your existing IT processes, and you will prevent security problems in the first place, says IDC's Elliott. You will also save some management headaches later.

"Process is important," he says. "Think about virtualization not just from a technology standpoint but from a process one." If you're using ITIL to guide your IT processes, for example, think about how virtualization fits into that process framework, Elliott advises. If you're using other IT best practices, look at how virtualization fits into those processes.

One example: "If you have a server-hardening document (prescribing a standard set of security and setup rules for a new server)," Hoff says, "you should do the same set of things to a virtual server as to a physical one."

At Arch Coal, Abbene's IT team does just that. "We take our best practices for securing a physical server and apply those to every VM on the box," Abbene says. Steps like hardening the OS, running antivirus on every VM and ensuring patch management keep those virtual boxes in tune with the same procedures used on physical ones, he says.

1 2 Page 1
Page 1 of 2
Security vs. innovation: IT's trickiest balancing act