The virtues of virtualization and cloud computing will figure into most enterprise IT infrastructure discussions during 2010. Virtualization has already proved it can save money through server consolidation and better use of resources. Greater use of the technology across server infrastructures, in other areas of the IT stack, and at the desktop is widely anticipated. The uptake of software-as-a-service (SaaS) applications such as salesforce.com, and the success of IT service outsourcing demonstrate how centralized remote computing approaches also can provide more efficient ways to deliver technology resources to users, helping cloud computing to gain greater buy-in from corporate decision-makers. But as the industry moves toward a new IT infrastructure play, what are the implications on IT security?
Why Should Security Professionals Be Concerned?
According to research from Gartner, about 16 percent of all enterprise servers are now virtualized, and it expects this to increase to around 50 percent by 2012. The market leader in this space, VMware, has more than 150,000 customers. Microsoft's virtualization product, Hyper-V, is effectively free with the latest version of Windows Server, which encourages take-up of the technology and makes it more accessible to smaller businesses.
With any technology that is growing in importance to enterprises of all sizes, malware writers are expected to attempt attacks on virtualized environments, either to hijack workloads or steal critical data. An example of how virtualization is being considered alongside security is the Payment Card Industry's Data Security Standard, where a Special Interest Group has been set up to discuss the role of virtualization within retailers' networks and the impact on protecting credit and debit card payment data.
There are three main attack targets on a virtualized environment:
The biggest issue facing the security team is not being involved in the implementation of virtualization in the first place, since it often starts life in test and quality assurance environments. As virtualization spreads into more production environments, security has to be a core concern. This includes evaluating business-continuity aspects, as the proportion of workloads affected by an outage or virus attack will be much higher in a consolidated environment.
The first consideration is that traditional security skills are being applied to the virtualization environment. This can be more difficult, as virtual machines can be moved around according to business demands and workload priorities. The emphasis has to be on planning and awareness of the possibilities that this shifting environment represents. Keeping the virtual and physical network traffic separated through use of VLANs is the first step, followed by implementing intrusion-prevention and firewall systems that can monitor and inspect traffic between the virtual machine host servers. Organizations looking at desktop virtualization still must roll out antivirus within the guest machines, even though virtualizing the session makes any patching or virus cleanup much easier and faster.
The next consideration is how virtualization can potentially improve security planning and execution. As virtual machines are isolated environments, it's easier to run multi-tenant environments that require separation, even on the same hardware. This is particularly useful for managed-service providers, where virtualization allows them to host more customers on the same amount of physical kit.
New Approaches to Security in a Virtualized Environment
Hardened virtual appliances, which are virtual machines built for a specific task, are also becoming more popular with organizations, as they can help the security function to benefit from the same results around virtualization as the rest of the business. A research report from IDC in December 2009 stated that virtual security appliance budget allocations will continue to grow over the next year to 18 months, as the total cost of ownership results are better than using separate point software products or dedicated hardware.
The other area where new approaches to security are being considered is the cloud. Cloud computing can mean different things to different people, but the most common definition is using the Internet to deliver a reliable service to users, where the amount of that service can be scaled up or down depending on demand. This flexibility, coupled with a 'pay-as-you-go' billing model, makes it attractive to organizations where capital expenditure is heavily reduced or where it is hard to get budget signoff.
The potential for cloud computing is huge, as it can make IT service delivery more efficient and cost-effective. However the cloud faces several major hurdles, the biggest of which is around security. As data will be moving out of the company's direct control, security and privacy concerns are significant, especially in those industries where regulations on data retention and ownership are in place. Establishing the cloud as a trustworthy platform for the business will be an ongoing concern, no matter how attractive the potential savings.
The biggest issue to remember is that all the data involved is yours. Even though it may be residing on another company's storage, it is the responsibility of the customer to ensure that it remains secure. It essential to perform due diligence on the cloud provider and continually ask questions about how the provider keeps the network secure. Visiting the data center personally can help built trust. If moving completely into the cloud does not suit the business, then taking a trusted partner that can manage the systems on your premises remotely can be a suitable "halfway house" that can deliver the cost benefits of full cloud, while retaining some control.
SaaS providers have already made some headway in demonstrating how trust and security around data can be gained. As this process continues to gather steam, security providers are also looking at how the cloud can make procedures more efficient. Examples of where cloud-based services can be effective include e-mail archiving and Web security, as the value for the organization is in managing the process efficiently, rather than hosting the products or service on-site.
As organizations roll out further virtualized infrastructures or move their workloads into private and/or public clouds, the security team has to be involved in establishing best practices around these shifts in strategy. Virtualization and the cloud, in tandem with security, can provide more efficient management and automation of non-critical IT functions. In an age where IT resources are stretched and budgets static, this represents a significant opportunity for IT to to deliver the results that businesses need to remain competitive. As these technologies move into production, the right security planning can ensure that virtualization or cloud computing deliver the promised benefits.
(Astaro is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held April 27- 29 at its new venue, Earl's Court, London. The event provides a free education program, exhibitors showcasing new and emerging technologies, and practical and professional expertise. For further information, please visit www.infosec.co.uk)