3 key issues for secure virtualization
Deal with these three main security concerns to improve your virtualized IT environment, says Bernard Golden
By Bernard Golden
March 07, 2012 — CSO —
Virtualization represents a sea change in IT practices. Bound for years by the "one application, one server" rule, IT infrastructure was over capacity, underused and not cost-effective.
With the advent of virtualization and the associated move to hosting multiple virtual machines on a single server, many of these problems disappeared.
Because multiple virtual machines can be placed on a single server, IT organizations can ensure that the machine's processing power is portioned out to many applications. Utilization, often measured in single digits, can be increased to 70 percent or more, ensuring that far less capital is wasted on high-cost, little-used servers.
It's also no secret that the movement toward virtualization has experienced what is sometimes referred to as "virtualization stall." This refers to the fact that many organizations get around 25 percent of their total server population virtualized, and then progress stops.
[Also read Greg Machler's Smart questions for analyzing virtualization products]
When you look into why this happens, you usually find that the organization has virtualized all of the easy servers (for example, dev machines and low-risk internal IT applications like DNS) but has failed to virtualize its production applications.
There are many reasons for this stall, but an important one is security. Essentially, security groups are unsure how to apply practices designed for a physical environment to a virtualized one. Despite this confusion, the direction is clear: Security practices must be updated to break the logjam of virtualization stall.
Here are three of the most common issues confronted by security organizations as they move toward a virtualized future:
Lack of Visibility Into Network TrafficMany security organizations monitor network traffic to identify and block malicious traffic and penetration attempts. Vendors have delivered specialized appliances that perform monitoring to ease the headaches of installation and configuration. These appliances can be installed on the network just like another server, and they can be up and running in hours or days. The appliance approach has simplified security practices and been an enormous boon to hard-pressed security groups and IT operations.
There's one problem with this approach, though, in a virtualized world. Virtual machines on the same server communicate via the hypervisor's internal networking, with no packets crossing the physical network where the security appliance sits ready to sniff them. Of course, if the virtual machines (VMs) reside on different servers, inter-VM traffic will run across the network and be available for inspection. For performance reasons, however, virtual machines associated with the same application (for example, an application's Web server and database server) are often on the same physical server.
Fortunately, vendors have stepped forward to address this. Virtualization vendors have provided hooks into their hypervisors that network vendors such as Cisco and Arista have used to integrate with virtual switches that, in turn, enable traffic inspection. So this problem is not insurmountable, though it does require an upgrade to the current method of network switching and the use of security products integrated with the newer model. You can translate this as a need for more financial investment. But lack of visibility alone is no reason for organizations to put off virtualizing production applications.