The Importance of Security in Virtualization
The term virtualization broadly describes the separation of a service request from the underlying physical delivery of that service. In general, it is divided into major categories – network virtualization, storage virtualization, desktop virtualization, server virtualization and application virtualization. All areas of virtualization are vulnerable to attacks if security is not properly architected and monitored.
2009 is proving to be a year for massive security improvements in virtualized environments. Enterprises now understand the special requirements and opportunities in this new world and security vendors are adapting their products to integrate more tightly with virtualization platforms. Major regulatory standards, such as PCI (Payment Card Industry) DSS are directly addressing virtualization security requirements in 2009.
As virtualization grows in popularity and continues to demonstrate tangible benefits along the way, companies are realizing they must develop and define virtualization security guidelines.
Without proper management and security controls, server virtualization poses security risks to organizations. Virtualization vendors are gradually moving away from simply protecting the virtual layer as if it were a normal machine. Moving forward, experts are encouraging companies to look at security in virtualization based on the concept of workloads. Abstraction at the workload level allows for a more granular specification of security. Above all, organizations need to ensure they implement security controls that meet business needs and are sustainable.
Organizations often overlook the importance of managing virtualized architectures by placing workloads of varying security levels on one physical server. When they run multiple VMs together on a shared hardware platform, all VMs are at equal risks of being compromised when one falls to an attack. Even if all the VMs are equally secure against attacks, security risk is escalated because the VMs can talk among themselves, without passing information through the network layer. As such, organizations must carefully plan the virtualization architecture and consider the impact of multiple VMs with varying security levels on the same physical platform. Additional controls must be architected into this model to achieve required security goals.
Virtualization security must start before the VMs are deployed, and more ideally, before vendors and products are selected. IT administrators should always factor security into their evaluation and selection process. Main issues such as risks and mitigating measures associated with virtualization software and the potential breakdown of separation of duties for administrative tasks should be considered in the process as well.
Desktop virtualization offers a way to extend the benefits of virtualization to end users, resulting in better performance, the flexibility of a full desktop and higher security. These products help organizations secure and protect valuable data and intellectual property.
Virtualization vendors recommend that all virtual desktops are connected only when a user has been authenticated. This way, virtual desktops will only allow connection when the authenticated user is validated. Thus, the virtual desktop is better protected from an attack and enforces stricter control on who is authorized to receive data from the desktop environment.
