IT Managers and Virtualization: Plagued by Insecurity?
IT Managers and Virtualization: Plagued by Insecurity?
By Jeff Byrne published: Monday, August 25 2008
The security of virtualized environments is rapidly becoming
one of the most talked about issues in IT circles. The number of new web-based articles and blog
postings on this topic has skyrocketed, multiplying some twenty-fold over the
past two years. Several highly popular
conference keynotes have recently addressed this topic, and hardly a week goes
by that a prominent analyst or IT guru fails to weigh in on the subject. Are IT professionals themselves becoming
insecure about the security of their virtual infrastructures? Is all of this media attention justified?
We believe the answers to these two questions, respectively,
are "a little bit" and "yes." Any IT professional who has endured
the pain of a major security breach is entitled to at least a touch of
paranoia. A hypervisor that
assumes many of the traditional functions of a general-purpose operating system
- and interacts closely with underlying systems hardware - is clearly open to
attack, and will increasingly become a target for hackers. And while proven, thinned-down hypervisors
such as VMware ESXi are much less vulnerable than Windows, they are far from bulletproof. Virtual machines, which tend to propagate
rapidly in a newly virtualized environment, are also susceptible to attacks,
particularly if their guest OS's are not properly patched or updated.
How can IT managers protect their virtual infrastructures
from exploits and other intrusions? As a
first step, they should treat security in their virtual environments at least
as rigorously as they do in their physical ones. Virtual machines require the same level of
care as physical systems, and given their tendency to multiply, may warrant
even greater attention. IT managers
should adapt existing operational policies and practices to meet the security
needs of their virtual infrastructures.
For example, strict policies must be defined and implemented for
patching and updating virtual machines, and for tracking and managing them as
they are moved between physical systems.
While the tools and practices for securing virtual
environments are still in their infancy, IT managers should be encouraged by
recent industry progress. The largest
virtual infrastructure vendors are working on initiatives to enable a rich
ecosystem of security solutions, as VMware is now doing with its VMsafe
program. And the first industry conference
dedicated to virtual machine security - bringing together vendors, users and
academia - will convene in conjunction with a larger ACM security conference in
late October. With all this attention
and brainpower being devoted to securing virtualized environments, IT managers might
soon be able to rest a little easier.
Jeff Byrne is Senior Analyst & Consultant
at Taneja Group. Jeff’s
primary focus is on companies, trends and technologies in the server
virtualization market. Prior to joining Taneja Group, Jeff spent five years as
Vice President of Marketing and later Vice President of Corporate Strategy at
VMware, a leading provider of virtual infrastructure software. Jeff has more
than 20 years of marketing and operational experience at companies such as
Hewlett-Packard, MIPS, and Novell. He can be reached at jeff.byrne@tanejagroup.com.
