Companies hungry for IT efficiency and cost savings absolutely love virtualization. The idea of reducing racks of servers into smaller and cheaper machine farms is simply irresistible in just about every enterprise.
Security vendors have seized on this with an array of products promising "security in the cloud." But the adopters often lack a basic understanding of what virtualization is about, and that's a problem, industry experts say.
"When you look at how people think of virtualization and what it means, the definition of virtualization is either very narrow -- that it's about server consolidation, virtualizing your applications and operating systems and consolidating everything down to fewer physical boxes," says Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board. "Or, it's about any number of other elements -- client-side desktops, storage, networks, security."
Depending on who you are and where you are, the definition of what's coming in the virtualization world means a lot of different things to a lot of different people, which makes it darn near impossible to build a security strategy around it, he says.
Hoff isn't the only one worrying about virtualization security. Joel Snyder, security expert and senior partner at Opus One, says that while virtualization can reduce costs in many ways, "it has a variety of implications in disaster control, capacity planning, system management and security."
Though many companies don't understand the precise workings of the technology, many at least acknowledge that there's a security challenge to address. Michele Perry, CMO for security vendor Sourcefire, maker of the popular Snort open source IDS tool, says customers are expressing concern that they have no way to proactively track or identify new virtual systems within their environments.
"With limited visibility, organizations have no way to control VMSprawl, where virtual systems pop up throughout the environment without adhering to corporate IT or security policies," Perry says. "This has the potential of creating significant security issues -- including unpatched machines, unauthorized access and use, and so on."
Virtualized systems also raise the issue of data retention and privacy because a virtual machine can be moved or eliminated at any time, Perry adds.
Fortunately for those who insist on living in the so-called cloud, virtual security is not a doomed concept.
"Just because virtualization changes your security environment doesn't mean that the problems it creates are insoluble, or that life suddenly got unimaginably more complicated," Snyder says. "Instead, realize that security in a virtual server environment is different. You may have think differently and use different tools to achieve the same level of security and risk management you have had in the past."
Even Hoff, a vocal critic of virtualization security, is seeing traces of the cloud's illusive silver lining. He notes that the who's who of security vendors are retooling their applications to take advantage of VMware's vNetwork/VMsafe APIs. Check Point, Symantec, McAfee, Trend Micro and others are working on tighter, better integration.
"Operationally and technically there is a lot more integration and tightening going on," he says. One recent example of that integration was VMware acquiring BlueLane Technologies, the maker of solutions that protect both physical and logical infrastructure, including ServerShield and VirtualShield. The company has of late focused wisely on the latter, which provides application-aware firewalling, inter-VM flow visibility and analytics, application policy control, and intrusion prevention capabilities, Hoff says.
Coupled with the introspection capabilities provided by VMware's vNetwork/VMsafe API's natively, the integration of BlueLane's solution sets will add to the basal capabilities of the platform itself and will allow customers the flexibility to construct more secure virtualized operating environments, he adds.
"I think it's actually an excellent move as it continues on the path of not only helping to ensure that the underlying virtualization platform is more secure, but the elements that ride atop on it are equally security enabled also," Hoff says.
Of course, security experts warn, all the vendor activity in the world won't help a company that dives headlong into the cloud without thinking through the risks first. As long as companies fail to grasp the nuts and bolts of virtualization, dangers remain.