Virtualization stretching IT security pressures

Computerworld - Virtualization technology, which allows multiple operating systems to run different applications on a single computer, has caught the attention of IT managers for its promise to let them better manage and utilize corporate IT resources.

However, some IT managers and security researchers warned that the emerging technology also makes corporate systems far more vulnerable to hackers.

Chad Lorenc, information security officer at a financial services company that he asked not be named, said that IT security and compliance projects are far more complex undertakings on virtual machines than on servers that run a single operating system and a single application.

“It is a very complex issue,” Lorenc said. “I’m not sure you are going to find a single solution” for addressing security issues in a virtual environment.

“There is no silver bullet,” he added. “You have to tackle [security] from a people, process and technology standpoint.”

Virtualization technologies allow companies to carve out multiple virtual machines within a single physical resource, such as a server or storage array.

Each virtual machine runs a separate operating system that runs its own applications, functioning exactly like a stand-alone computer.

The technology allows companies to consolidate applications running on multiple computer systems into a single server, which promises to ease management requirements and allow hardware resources to be better utilized.

Analysts noted that the technology has been around for several years, but IT organizations started to increasingly use it as new virtualization systems emerged in recent months from companies like Intel Corp. Advanced Micro Devices Inc., VMware Inc., Microsoft Corp. and IBM.

But as the technology spreads, it’s important that IT managers understand that collapsing multiple servers into a single box does not change their security requirements, said George Gerchow, technology strategist at security vendor Configuresoft’s Inc. center for policy and compliance in Colorado Springs, Colo.

In fact, he said, each virtualized server separately faces the same threats as a traditional single server.

“If a host is vulnerable, all associated guest virtual machines and the business applications on those virtual machines are also at risk,” he said.

Therefore a server running virtual machines faces more danger from a single exploit than a single physical server, Gerchow said.

He noted that virtualization software allows developers, quality assurance groups and other corporate users to set up virtual machines with relatively little effort, and without IT oversight.

Such virtual machines can pop up, move across systems or disappear entirely on an almost constant basis if IT managers don’t take measures to maintain control of each of them.

“IT departments are often unprepared for the complexity associated with understanding what virtual machines exist [on servers] and which are active or inactive,” he said.