The Myth of Cloud Computing
Why the rapid spread of virtual technology is becoming a security risk
By Bill Brenner , Senior Editor
December 01, 2008 — CSO —
Companies hungry for IT efficiency and cost savings absolutely love virtualization. The idea of reducing racks of servers into smaller and cheaper machine farms is simply irresistible in just about every enterprise.
Security vendors have seized on this with an array of products promising "security in the cloud." But the adopters often lack a basic understanding of what virtualization is about, and that's a problem, industry experts say.
"When you look at how people think of virtualization and what it means, the definition of virtualization is either very narrow -- that it's about server consolidation, virtualizing your applications and operating systems and consolidating everything down to fewer physical boxes," says Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board. "Or, it's about any number of other elements -- client-side desktops, storage, networks, security."
Depending on who you are and where you are, the definition of what's coming in the virtualization world means a lot of different things to a lot of different people, which makes it darn near impossible to build a security strategy around it, he says.
Hoff isn't the only one worrying about virtualization security. Joel Snyder, security expert and senior partner at Opus One, says that while virtualization can reduce costs in many ways, "it has a variety of implications in disaster control, capacity planning, system management and security."
Though many companies don't understand the precise workings of the technology, many at least acknowledge that there's a security challenge to address. Michele Perry, CMO for security vendor Sourcefire, maker of the popular Snort open source IDS tool, says customers are expressing concern that they have no way to proactively track or identify new virtual systems within their environments.
"With limited visibility, organizations have no way to control VMSprawl, where virtual systems pop up throughout the environment without adhering to corporate IT or security policies," Perry says. "This has the potential of creating significant security issues -- including unpatched machines, unauthorized access and use, and so on."
Virtualized systems also raise the issue of data retention and privacy because a virtual machine can be moved or eliminated at any time, Perry adds.
Fortunately for those who insist on living in the so-called cloud, virtual security is not a doomed concept.
"Just because virtualization changes your security environment doesn't mean that the problems it creates are insoluble, or that life suddenly got unimaginably more complicated," Snyder says. "Instead, realize that security in a virtual server environment is different. You may have think differently and use different tools to achieve the same level of security and risk management you have had in the past."