The scary side of virtualization

After pushing forward with server virtualization, some IT executives are rethinking the security implications

1 2 3 4 5 6 Page 6
Page 6 of 6

Protecting the data

Because virtual machine images are data -- program code stored on a hard disk drive somewhere -- those files must be protected. "You don't want someone walking away with an entire server on a USB drive," says Jordon. She says the Phoenix city government uses a combination of physical security, network storage access controls and file integrity monitoring to protect virtual machine images.

Jai Chanani
Jai Chanani, senior director of technical services and architecture at Rent-a-Center, says his team has about 200 virtual servers but doesn't use virtualization for the company's ERP system, databases or e-mail.

Six Flags keeps those images on protected network storage. "Those NFS mounts are restricted to prohibit anyone from mounting those shares. You're not going to be able to just copy the file, and it's not possible to mount a thumb drive on a server in our environment," says Nowell.

IT also needs to rethink its data loss prevention efforts, says RSA's Baize. Instead of creating policies that state which virtual machines can access what data, those policies need to be data-centric, he contends. "You can have policies that say this sensitive data cannot go to this virtual machine. You don't have to worry which virtual machine the data comes from -- it's a truly risk-driven policy. This is an opportunity to rethink the way we do security."

Controls need to be well understood

Securing virtual infrastructure is not about buying more tools, says Baize. "There's a lot available today in terms of controls for virtual infrastructure. What is lacking is the understanding of what the controls are for and when they should be applied," he says.

The best way to create a secure virtual infrastructure is to have IT security or a security consultant involved early on. Gartner estimates that as many as 40% of IT organizations don't get IT security involved in a virtual infrastructure deployment until after the system is already built and online. The problem becomes more evident as more mission-critical applications begin to move into virtual machines. "When you start looking at virtualizing SharePoint or Exchange or ERP you really are running into sensitive data. That forces the issue," Gartner's MacDonald says.

By then, organizations are trying to bolt on security that should have been designed in from the beginning. That kind of after-the-fact redesign work can get expensive. "CIOs should make sure they have their top people in the loop when designing this type of architecture," he says.

It all comes down to policy, says Rent-a-Center's Condit. "If you don't have a strong security policy in place, a virtual infrastructure is going to show up those weaknesses much more quickly because things happen more rapidly," he says, referring to how quickly virtual servers can be created and then moved around between physical host servers.

But CIOs are right to worry. Says Condit: "A certain healthy level of paranoia is always a good thing."

Robert L. Mitchell writes technology-focused features for Computerworld. You can follow Rob on Twitter at twitter.com/rmitch or subscribe to his RSS feed. His e-mail address is rmitchell@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

1 2 3 4 5 6 Page 6
Page 6 of 6
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon