Skip the navigation

The scary side of virtualization

After pushing forward with server virtualization, some IT executives are rethinking the security implications

August 10, 2010 06:00 AM ET

Computerworld - During a roundtable discussion at the Computerworld Premier 100 IT Leaders conference in March, one CIO stood up to express his uneasiness about the security of a virtual infrastructure that has subsumed more than half of his company's production servers. In short order, two other IT executives chimed in with their own nagging worries.

None of the executives in that room wanted to admit on the record that they feel vulnerable, but Jai Chanani, senior director of technical services and architecture at Plano Texas-based retailer Rent-a-Center Inc., feels their pain. "One of my biggest fears is the ability to steal [virtual servers]," he says. His team has about 200 VMware ESX and XenServer virtual servers operating as file, print and, in some cases, application servers. But, for security reasons, his shop doesn't use virtualization for the company's ERP system, databases or e-mail.

Mike Israel
Michael Israel, CIO at Six Flags, says, "the last thing I want is 25 servers... that I don't know exist."

Michael Israel, CIO at amusement park operator Six Flags Inc. in Grand Prairie, Texas, voices a different concern. To him, the most unnerving scenario is the idea of a rogue administrator moving virtual servers from a secure network segment onto physical hosts in an unsecured segment, or creating new, undocumented, unlicensed and unpatched virtual servers. "The biggest concern I have is the renegade side of it. The last thing I want is 25 servers out there... that I don't know exist," he says.

The migration onto virtual servers has saved businesses huge sums of money as a result of consolidation and improved efficiency, but as virtualization has gobbled up more and more production servers, some IT executives are getting indigestion. Has anything been overlooked? Could a catastrophic breach somehow bring down critical applications -- or perhaps an entire data center? "Customers wake up one day, realize that 50% of their business-critical apps reside on virtual infrastructure and say 'Gee, is that secure?' That's very common," says Kris Lovejoy, a vice president at IBM Security Solutions, IBM's security consultancy.

"There are some huge, well-known corporate names around the globe that you'd think would have this stuff pretty much beat. That couldn't be further from the truth," says Andrew Mulé, a senior security consultant in the RSA Security practice at EMC Consulting; he spends his time in the field with corporate customers.

The problem isn't that virtual infrastructure is difficult to secure per se, but that many companies still haven't adapted their best practices -- if they have them -- to the new environment.

Virtualization introduces technologies -- including a new software layer, the hypervisor, -- that must be managed. Also new: Virtual switching, which routes network traffic between virtual servers in ways that aren't always visible to tools designed to monitor traffic on the physical network.

Moreover, virtualization breaks down the traditional separation of duties within IT by allowing a single administrator to generate new virtual servers en masse, at the push of a button, without approval from purchasing or input from the network, storage, business continuity or IT security groups. In many organizations, the IT security team isn't consulted about virtual infrastructure until well after the architecture is built and rolled out on production servers. And virtualization-aware security technologies and best practices are both still evolving.

The market has emerged so quickly that customers have not been able to keep up from a best practices standpoint, says Lovejoy. There's a lack of knowledge on the subject and a lack of skills in the field. While technologies are available to secure virtual infrastructure, Lovejoy often sees security failures that can be tracked to misconfigurations.

"The questions about security in a virtual environment are centered around lack of visibility, lack of control and fear of the unknown," says Bill Trussell, managing director of security research at The Info Pro, a Manhattan-based IT consultancy.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Virtualization White Papers
Utility Storage - The Ideal Platform for Virtual and Cloud Computing
Server virtualization has transformed corporate IT -- companies have enjoyed major cost savings and have gained flexibility and efficiency. But this has also...
Enterprise Virtual Machine Infrastructure on the IBM Cloud
Everyone needs a cost-effective, agile IT infrastructure, but reinventing your business approach can feel risky. Read this data sheet to learn how you...
Today's Cloud Meets Today's Storage: Optimize Virtualization
Today's businesses need to grow revenue and reduce costs. The Cloud can improve scalability, enhance flexibility and optimize resource utilization. Nexsan enterprise-class storage...
Forrester Total Economic Impact (TEI) Case Study - Oracle
In this paper, Forrester Consulting examines the total economic impact and potential return on investment (ROI) realized by three Enterprise organizations as they...
The Hidden Truth About Virtualizing Business-Critical Applications
This IDG whitepaper highlights key findings based on the Quickpoll Survey conducted with more than 300 Enterprise and Commercial IT decision makers worldwide...
All Virtualization White Papers
Virtualization Webcasts
Virtualize Business-Critical Applications with Confidence
Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®...
Virtualizing Microsoft and Oracle on VMware vSphere: Benefits and Best Practices
Virtualizing business-critical applications is an essential step in your journey to the cloud. Microsoft SQL Server, Exchange and SharePoint, and Oracle applications, are...
Discover the Benefits of Virtualization for Federal Applications
Want to say goodbye to missed SLAs? VMware can help you virtualize mission-critical applications such as Oracle, MS Exchange and SharePoint to achieve...
Virtual Desktop Solutions in the Federal Government
Federal IT managers are on the forefront of realizing the benefits that a secure, easy-to-manage virtual desktop environment can provide. The key is...
Preventing Unplanned Downtime with Server Virtualization
The benefits of server virtualization extend far beyond infrastructure savings and server consolidation. An emerging technology trend is for IT managers worldwide to...
All Virtualization Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs