RealTime IT News

Tackling Virtualized Environment Security

As enterprises gallop ahead towards virtualizing their IT infrastructures, security and compliance issues are going to slow them to a crawl.

That's because virtual environment security is nothing like security in the physical environment.

Security measures in the physical environment are based on the servers being fixed, having a constant identity, and being easy to check on, but the virtual environment is always fluid, always changing and difficult to get a handle on.

Worse still, the tools and processes that ensure security in the physical environment just don't work in a virtualized one.

"The existing tools for remediation, discovery and so on aren't for the virtual world," Chris Farrow, director of product strategy at virtualization policy management vendor Fortisphere, told InternetNews.com.

"They don't understand the virtual architecture is dynamic, virtual machines can be turned on or off, and typical scanning and provisioning tools don't understand the concept of machines being able to migrate on the fly, an entire machine that you can capture on a thumb drive," he explained.

"They expect a box that's on 24x7, is always sitting on a rack somewhere and not dynamically changing its identity and nature or being moved easily from one host to another."

The procedures for regularly assessing the IT environment, finding out which boxes are running what software, for patch management and for provisioning are "great for the physical world, but not for the virtual world," Farrow said.

"You can have a physical box with 20 virtual machines (VMs) on it talking to each other all day long and there's no way to get inside the network and find out what's going on, so all the tools people have bought over the last 10 years or so have to be re-instrumented."

There are three facets to the problem, David Lynch, vice president of marketing at Embotics, told InternetNews.com. These are the loss of identity; mobility; and the loss of control by the IT security team.

In the physical world, a server is identified in the environment by its physicality -- the rack or row number, or something associated with the physical machine -- and, when it's virtualized, "you, in essence remove its identity," he said.

To make things worse, cloning a virtual machine results in several identical copies, and that creates system management, maintenance and updating problems because it's difficult to identify and differentiate the various clones of a VM from one another.

Adhering to compliance

Ensuring VMs are adhering to compliance and separation rules is also difficult because VMs are highly mobile, and can be migrated automatically to a different physical server if the resources of the one they're on are inadequate.

For example, an enterprise's human resources systems or credit card systems could end up running on a server where they could be potentially accessed by a Web server application when the VM they are running on is kicked over automatically to a new physical server.

Consolidation, which is the main reason corporations opt for virtualization, can also lead to this problem because "you might have had separate VLANs (virtual local-area networks) and segments for different kinds of data -- customer data, credit card data and so on -- but when you consolidate 20 physical servers into a single ESX host, all that data is on the same virtual switch so, more often than not, your data and network segmentation are lost," Michael Berman, Catbird's chief technology officer, told InternetNews.com.