The Rearranged World of Virtualized Environments a Security Challenge


Late last month, I blogged about the challenges virtualization poses for disaster recovery and business continuity. The post cited a Symantec survey that said, in essence, there is a disconnect between DR/BC and virtualization, and this leads to problems.


The bookend to these challenges is the impact virtualization has on security. The facts are different, but the bottom line is about the same: Virtualization changes so many things about how an IT infrastructure is cobbled together that it takes time for the supporting discipline (DR/BC or security) to catch up.


Formerly complex topics become understandable -- and even interesting -- when they are fully described. That's certainly true of virtualization and security. This post at ARN does a good job of describing why it is difficult. The short answer is that the very benefits virtualization provides make it trickier to secure. More specifically, the pooling of resources, their separation from the underlying physical infrastructure and their constantly changing nature collectively makes it difficult to track to the root cause of an alert or a security fault.


It is impossible to mention virtualization without discussing VMware. Apparently, it is impossible to discuss virtual security without mentioning the vendor, either. This Techworld piece says the company last week announced the existence of 16 vulnerabilities impacting VMware's ACE, Server, ESX, Workstation and Player products. The U.S. Computer Emergency Readiness Team (US-CERT) says that the vulnerabilities can lead to a number of problems, including the ability to run arbitrary code and cause denial-of-service (DoS) attacks. The most telling comment in the piece is a paraphrase attributed to Rob Rachwald, Fortify's director of product marketing:

...[H]e warns the problem comes about because many conventional IT security applications do not fully protect virtual server users.

This piece no doubt will be a bit confusing to those who are not steeped in virtual server technology, but it is valuable nonetheless. The writer, an executive with Apani, quotes Gartner figures that 60 percent of virtual machines will be less secure than physical services through next year. The major reasons are:

  • IP addresses change as the virtual configuration shifts, making it difficult to fulfill security tasks.
  • New virtual machines often are not adequately secured.
  • Monitoring communications between virtual machines often is inadequate and a "silo approach" to virtual machine security exists.

The vendor executive describes a cross-platform approach that he says constitutes a solution to the problem.


Vendors seem to be making moves to meet the challenges. In August, Check Point Software introduced VPN-1 Virtual Edition, a product the company says restores the separation of applications as if they are on separate servers.


Last week, BMC software introduced a virtualization management approach based on its Closed-Loop Change and Configuration Management process. The company said security is one of the main goals of the new system, which is called the BladeLogic Virtualization Module for Servers.


In July Altor Networks said that its Virtual Network Security Analyzer had been certified for VMware's Virtual Appliance and was available through the VMware Virtual Appliance Marketplace.