Virtualization Increases IT Security Pressures

Computerworld - Virtualization technology, which allows multiple operating systems to run different applications on a single computer, has caught the attention of IT managers for its promise to let them better manage and utilize corporate IT resources.

However, some IT managers and security researchers warn that the emerging technology also makes corporate systems far more vulnerable to hackers.

Chad Lorenc, information security officer at a financial services company that he asked not be named, said that IT security and compliance projects are far more complex undertakings on virtual machines than on servers that run a single operating system and application.

It is a very complex issue. Im not sure you are going to find a single solution for addressing security concerns in a virtual environment, Lorenc said.

There is no silver bullet, he added. You have to tackle [security] from a people, process and technology standpoint.

Virtualization technologies allow companies to carve out multiple virtual machines within a single physical resource such as a computer server or storage array.

The technology allows companies to consolidate applications running on multiple systems into a single server, which promises to ease management requirements and allow IT hardware resources to be better utilized.

Analysts note that although the technology has been around for several years, IT organizations have become more interested in recent months as virtualization products have emerged from the research labs of companies such as Intel Corp., Advanced Micro Devices Inc., VMware Inc., Microsoft Corp. and IBM.

But before IT managers turn to virtualization tools, they must understand that collapsing multiple servers into a single box does not change their security requirements, said George Gerchow, technology strategist at security vendor Configuresoft Inc.s Center for Policy & Compliance in Colorado Springs.

Taking Precautions

In fact, Gerchow said, each virtualized server separately faces the same threats as a traditional single server. If a host is vulnerable, all associated guest virtual machines and the business applications on those virtual machines are also at risk, he said.

Therefore, a server running virtual machines faces more danger from a single exploit than a stand-alone physical server, he explained.

He noted that virtualization software allows developers, quality assurance groups and other corporate users to set up virtual machines with relatively little effort  and without IT oversight. Such virtual machines can pop up, move across systems or disappear entirely on an almost constant basis if IT managers dont take measures to maintain control of each of them.

IT departments are often unprepared for the complexity associated with understanding what virtual machines exist [on servers] and which are active or inactive, Gerchow said. Without the ability to keep track of virtual machines, companies are often unable to patch flaws or update systems when necessary, he added.