How Virtualization and Cloud Computing Will Change Security

Gert Hansen

The virtues of virtualization and cloud computing will figure into most enterprise IT infrastructure discussions during 2010. Virtualization has already proved it can save money through server consolidation and better use of resources. Greater use of the technology across server infrastructures, in other areas of the IT stack, and at the desktop is widely anticipated. The uptake of software-as-a-service (SaaS) applications such as, and the success of IT service outsourcing demonstrate how centralized remote computing approaches also can provide more efficient ways to deliver technology resources to users, helping cloud computing to gain greater buy-in from corporate decision-makers. But as the industry moves toward a new IT infrastructure play, what are the implications on IT security?  

Why Should Security Professionals Be Concerned?

According to research from Gartner, about 16 percent of all enterprise servers are now virtualized, and it expects this to increase to around 50 percent by 2012. The market leader in this space, VMware, has more than 150,000 customers. Microsoft's virtualization product, Hyper-V, is effectively free with the latest version of Windows Server, which encourages take-up of the technology and makes it more accessible to smaller businesses.

With any technology that is growing in importance to enterprises of all sizes, malware writers are expected to attempt attacks on virtualized environments, either to hijack workloads or steal critical data. An example of how virtualization is being considered alongside security is the Payment Card Industry's Data Security Standard, where a Special Interest Group has been set up to discuss the role of virtualization within retailers' networks and the impact on protecting credit and debit card payment data.

There are three main attack targets on a virtualized environment:

  • The virtual machine workload, which will consist of an operating system, applications and data, similar to a traditional server workload.
  • The hypervisor itself.
  • The management APIs used to control the virtual machines and integrate with other IT management products.

The biggest issue facing the security team is not  being involved in the implementation of virtualization in the first place, since it often starts life in test and quality assurance environments. As virtualization spreads into more production environments, security has to be a core concern. This includes evaluating business-continuity aspects, as the proportion of workloads affected by an outage or virus attack will be much higher in a consolidated environment.

The first consideration is that traditional security skills are being applied to the virtualization environment. This can be more difficult, as virtual machines can be moved around according to business demands and workload priorities. The emphasis has to be on planning and awareness of the possibilities that this shifting environment represents. Keeping the virtual and physical network traffic separated through use of VLANs is the first step, followed by implementing intrusion-prevention and firewall systems that can monitor and inspect traffic between the virtual machine host servers. Organizations looking at desktop virtualization still must roll out antivirus within the guest machines, even though virtualizing the session makes any patching or virus cleanup much easier and faster.

The next consideration is how virtualization can potentially improve security planning and execution. As virtual machines are isolated environments, it's easier to run multi-tenant environments that require separation, even on the same hardware. This is particularly useful for managed-service providers, where virtualization allows them to host more customers on the same amount of physical kit.

New Approaches to Security in a Virtualized Environment

Hardened virtual appliances, which are virtual machines built for a specific task, are also becoming more popular with organizations, as they can help the security function to benefit from the same results around virtualization as the rest of the business. A research report from IDC in December 2009 stated that virtual security appliance budget allocations will continue to grow over the next year to 18 months, as the total cost of ownership results are better than using separate point software products or dedicated hardware.

The other area where new approaches to security are being considered is the cloud. Cloud computing can mean different things to different people, but the most common definition is using the Internet to deliver a reliable service to users, where the amount of that service can be scaled up or down depending on demand. This flexibility, coupled with a 'pay-as-you-go' billing model, makes it attractive to organizations where capital expenditure is heavily reduced or where it is hard to get budget signoff.

The potential for cloud computing is huge, as it can make IT service delivery more efficient and cost-effective. However the cloud faces several major hurdles, the biggest of which is around security. As data will be moving out of the company's direct control, security and privacy concerns are significant, especially in those industries where regulations on data retention and ownership are in place. Establishing the cloud as a trustworthy platform for the business will be an ongoing concern, no matter how attractive the potential savings. 

The biggest issue to remember is that all the data involved is yours. Even though it may be residing on another company's storage, it is the responsibility of the customer to ensure that it remains secure. It essential to perform due diligence on the cloud provider and continually ask questions about how the provider keeps the network secure. Visiting the data center personally can help built trust. If moving completely into the cloud does not suit the business, then taking a trusted partner that can manage the systems on your premises remotely can be a suitable "halfway house" that can deliver the cost benefits of full cloud, while retaining some control.

SaaS providers have already made some headway in demonstrating how trust and security around data can be gained. As this process continues to gather steam, security providers are also looking at how the cloud can make procedures more efficient. Examples of where cloud-based services can be effective include e-mail archiving and Web security, as the value for the organization is in managing the process efficiently, rather than hosting the products or service on-site.

As organizations roll out further virtualized infrastructures or move their workloads into private and/or public clouds, the security team has to be involved in establishing best practices around these shifts in strategy. Virtualization and the cloud, in tandem with security, can provide more efficient management and automation of non-critical IT functions. In an age where IT resources are stretched and budgets static, this represents a significant opportunity for IT to to deliver the results that businesses need to remain competitive. As these technologies move into production, the right security planning can ensure that virtualization or cloud computing deliver the promised benefits.

(Astaro is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held April 27- 29 at its new venue, Earl's Court, London. The event provides a free education program, exhibitors showcasing new and emerging technologies, and practical and professional expertise. For further information, please visit

Add Comment      Leave a comment on this blog post
Feb 19, 2010 6:02 PM Andy Feit Andy Feit  says:
Gert, There's no question that virtualization and cloud computing architectures require a whole new approach to security. What worked in the past) perimeter protection and network monitoring) simply won't work in virtual environments, and especially in the cloud. For example: - traffic from one VM to another VM running on the same physical server will never even hit the network, so it won't be seen by traditional security models - as you point out, new VMs are being provisioned over the course of the day based on capacity needs (and de-provisioned as well), so whatever you are using to secure them must be deployed automatically or you'll never keep up with this dynamic environment - it gets even trickier in the cloud, where the the network is essentially the entire Internet -- how do you monitor that!? Not so easy... some sort of distributed mechanism is almost certainly required. You are absolutely right that the biggest issue is the data. In the end, in order to move key applications to the cloud, companies will need to know that the data security mechanisms in place meet the requirements of regulations that affect them (PCI-DSS, HIPAA, SOX, etc.) A recent whitepaper from Sentrigo looks at these issues, and more, from the specific perspective of database security... interesting reading. Find it here: Andy Reply
Dec 18, 2011 9:12 PM Monique20Nguyen Monique20Nguyen  says:
I received 1 st loans when I was very young and it supported my business very much. However, I require the auto loan as well. Reply
Apr 12, 2014 7:34 AM Paula Paula  says:
as I can read the document on my tablet? I do not get to read the pdf Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.