March 16, 2009, 3:48 PM — Virtualization promises to make IT departments more flexible, more efficient and -- perhaps most crucial in these tough times -- more frugal. But one advantage the technology doesn't provide is an escape from the need for strong security measures.
As soon as he began planning his Novell virtualization project, Noah Broadwater realized that he was looking at an initiative that would require both a continuation of existing security practices and an analysis of any perils that might be created by the new technology.
"It was evident that virtualization demanded a close look," says Broadwater, who is vice president of information services at New York-based children's media producer Sesame Workshop. "Above all, we had to make sure that we would be secure on all fronts."
Neil MacDonald, an analyst at Gartner Inc., says that virtualization is opening new doors for IT departments as well as for people who seek to tamper with critical data and services.
"Adopters can expect that virtualized software, like hypervisor software, will be attack targets," he says. "Therefore, virtualization security planning should be addressed at a project's inception."
Crash and Learn
With IT departments in today's crashing economy being asked to do more with less, virtualization's lure is becoming increasingly irresistible. But as some departments rush headlong toward the technology in an effort the stretch scarce dollars, the temptation arises to skimp on security.
Many thrifty managers believe that the same technologies currently used to protect conventional physical servers can simply be extended to virtualized environments. But MacDonald says that's a potentially calamitous assumption. He notes that the unwary could be trapped by threats in several areas, including software, administration, mobility, the operating system and network visibility (see "Virtualization's Soft Spots," below). "There need to be policies to address these issues," he adds.
Broadwater takes some common-sense defensive steps, such as using firewall controls to limit user access and running a full array of security protocols and checks on each virtual server. In addition, Broadwater says he depends on his virtualization software vendor, Novell Inc., to supply a product that's resistant to intrusions and attacks. He says he worries about "holes in the virtualization software itself -- kernel attacks, someone attacking the host module or one of my guys making a mistake against the host server -- and then making sure that the full virtualization software is actually secure and is patched."
Broadwater says he's confident that his vendor is keeping pace with virtualization threats as they arise.
He feels that beyond technology-driven measures, it's helpful for enterprises to keep details about virtual environments close to their vests in order to deter unwanted attention. "In a lot of cases, we don't even tell people that they're running on a virtual box or that they're actually accessing a virtual box," Broadwater says.
Oyvind Kaldestad, vice president of corporate IT at Lionbridge Technologies Inc., a business outsourcing and training company in Waltham, Mass., says his top concern is malware infections finding their way into his client enterprises' Microsoft-based virtual environments.
"I would be really worried about having a host or parent partition being able to access and cause a virus or other type of infection on a child partition -- that would be a bad scenario," he says.
Kaldestad is also concerned about child partitions using virtualization to talk to one another and spread infections. But like Broadwater, he's confident that his vendor has a handle on the issue.
Steve Milligan, director of academic computing and technology at Arkansas Tech University, says that component segregation is vital to protecting his VMware-driven virtual desktop environment.
"We keep our virtual desktops separate from our production servers, and we keep our development servers separated as much as possible from our production servers," he says. "One of my biggest concerns is having a host or a VM that's compromised and allowing unwanted access to other systems within our environment."
Milligan acknowledges that he underestimated the security challenge when designing his virtualized environment. "Security was not on the forefront," he says. "We weren't thinking of designing our virtual environment any differently from our physical environment. That was a mistake, and we've learned from that."
Like many others managing a virtualized environment, Milligan would like vendors to provide more and better visibility tools. "It's that unknown -- not knowing what's going on in your virtual environment," he says. "Not just what's communicating with your servers from the outside, but what's going on internally between those virtual servers and desktops."
Although safeguarding virtualized environments requires new insights and practices, conventional security still plays a role. Like many experienced adopters, Broadwater says that virtualization security begins at the host.
"It's general security stuff," he says. "Make sure that your security patches are up to date and that you have proper antivirus [tools] that are sitting behind a proper firewall."
To further ensure that his virtual deployment is as secure as possible, Broadwater periodically turns to an outside security firm to probe the environment for lurking vulnerabilities. "We usually hire a company to do a security penetration test once a year," he says. "From the penetration test, we look at the vulnerabilities and go back to the vendors and ask them how they can help us resolve these issues."
Kaldestad says prospective virtualization adopters can get a handle on how vendors approach and manage security by carefully scrutinizing each provider's virtualization architecture.
"Try to figure out what type of attack vectors could possibly be used," he advises. "By looking at how things are architected, you can find out quite a bit about potential vulnerabilities."
Reality Check
Not all IT managers are losing sleep over virtualization security. Some feel that the issue is being hyped. They say that critics overlook the fact that most vulnerabilities are addressable and that many adopters are simply using virtualization to save money by consolidating low-priority -- and low-risk -- tasks.
Nicholas Tang, vice president of technology operations at Interactive One, the online division of the U.S.'s largest African-American radio network, says he believes that as long as critical data isn't sent into a virtualized environment, virtualization requires no special security protections.
"We treat [virtualized servers] like standard servers and take standard good-practice measures, but nothing specific to the virtualized environment," says Tang, who uses Oracle VM technology to consolidate lightly loaded servers, such as slave DNS and utility servers.
Yet Scott Crawford, security and risk management research director at Enterprise Management Associates Inc., a technology research firm in Boulder, Colo., warns that it's still important not to be lulled into a false sense of security, since no enterprise wants to invite an attack or intrusion, even if the tasks being virtualized are relatively minor. "Nobody wants to be a victim and to have to clean up a mess," he says.
Milligan agrees. "Virtualization is a very exciting technology that offers IT managers a better way to manage some of their systems," he says. "But don't get too excited over the benefits and look past the security. That could be dangerous."
Edwards is a freelance writer in Gilbert, Ariz. Contact him at jedwards@gojohnedwards.com.
