Virtualization is a broad term that refers to the use of fewer pieces of hardware to run more operating systems and applications. In practical terms, it is the hosting of more than one OS on a single physical machine. That description alone suggests the different, albeit related, reasons that CIOs and CFOs like virtualization.
There is a fly in the ointment of money savings and increased productivity, however. These environments are extremely vulnerable because security approaches haven't caught up. This NewsFactor story looks at four of the top security concerns surrounding server virtualization. The first is the possibility that the system which oversees all the virtual machines -- the hypervisor -- could be hacked in such a way that it infects everything under its control.
The second problem -- which is less sinister but potentially just as dangerous -- is the fact that keeping all those virtual servers patched is a challenge. The third problem involves the potential dangers of running the virtualized machine in the "DMZ." The last issue is a general feeling that hypervisors are so new that security problems may exist just below the surface waiting for hackers to exploit them.
This passage from an article by David Frith, a senior consultant with Siemens Enterprise Communications Limited, should catch the attention of IT managers contemplating virtualization:
Full security analysis of many of the vendor offerings reveals large areas of unexplored code in which could lurk potential flaws, this is an 'known unknown' since the lack of live deployments until recently has resulted in little testing.
Short version: Be extraordinary careful. The Continuity Central piece Frith wrote paints a picture of a category that is growing quickly. The writer says that existing security tools can perform some tasks that will help keep virtualized machines safe, but that big gaps exist. He then maps out what needs to be done. The writer concludes that new tools are necessary and that the market must educate itself.
Virtualization security does seem to be getting the attention it needs. Server Watch recently looked at the top seven trends for virtualization in 2008, and security was the first item mentioned. Site editor Amy Newman starts by saying that virtualization was "largely immune" from all the security problems of the past year. However, Gartner ran up a yellow flag mid-year. (A link is provided to a Server Watch story on the topic.) The bottom line is that a virtualized machine is a great target for a hacker simply because one successful exploit can net them multiple rewards.
It is the season for lists of highlights from the past year and looks ahead, and security is no different. McAfee predicts that security vendors will create "more resilient" defenses for virtualized environments. The bad guys will react, and the cat and mouse game will be joined in a new arena.
While there is cautious optimism for the future, it's frightening that so little attention has been paid to virtualization security to date. Slavik Markovich, the CTO of Sentrigo, laid out the problems to IT Business Edge earlier this month. The vulnerabilities were stark, even to a non-expert: The new architecture is not compatible with the old approaches to security. When asked what companies were doing to combat this obvious challenge, Markovich sounded surprised.
The amazing thing is that they are not covering that at all. A couple of vendors asked VMware to create some sort of span port and they said it is not even on the road map.
Markovich is talking about the virtualization vendors themselves. Hopefully, security vendors have seen the dangers -- and the potential profits -- from guarding it. If that isn't the case, companies looking to cut costs with leading-edge virtualization technology may be in for a rude awakening next year.