Security for the virtual layer
By 2009, two-thirds of organizations will be using virtualization in some significant way, according to a November 2007 report from Forrester Research.
That organizations clearly are implementing these technologies despite their inherent risks is shown by two surveys with a US Technology Opinion Panel conducted six months apart.
In a June 2007 poll, 64 per cent of 707 respondents said they believe virtualization increases their security risk. Yet in January, 60 per cent of 977 readers polled said they were not holding back on these and other new technologies despite security concerns. This might indicate a rushed migration, but adopting enterprises really are taking their time thinking things out and starting with their noncritical systems, Configuresoft's Moreau says.
"As you look across the virtualization stack, one of the dominant issues for enterprises is the lack of a holistic, coherent resulting view, so they're going after their low-hanging fruit," he says. "Some of our largest customers . . . are only virtualizing those assets that don't have rigorous audit and due-care requirements."
At Mercy Medical, a 6,000-user teaching hospital, not only is the virtual desktop pilot underway but also a large-scale server virtualization project. Mark Rein, the center's senior IT director, is a fan of the efficiencies produced by virtualization, but he's also aware of the risks. So, his organization is taking due care with proof of concept, mapping of system interdependencies, and testing before putting anything in a beta production environment.
For example, the center's virtual desktop pilot began with 400 doctors and residents in January. Ultimately, Mercy Medical plans to issue keys to its mobile home nursing staff.
In February, after completing a proof of concept, the center began consolidating 240 data-center servers with the goal of reducing the number of servers to 70 by year-end. The consolidation is rolling out in phases, with the virtualization of 50 noncritical servers -- machines that aren't directly connected to a patient's care -- coming first.
You multiply your risk of failure when you move to virtual-server consolidation, Rein says, because losing one physical server means losing 50 virtual machines at the same time. So, Mercy Medical relies on double redundancies and failovers at the physical and virtual machine layers.
Also in need of protection are the VMMs themselves. VMware's ESX, Citrix Systems' XenServer and Hyper-V by Microsoft are lightweight operating systems unto themselves that make tempting exploit targets for attackers, particularly through SSH commands and other administrative paths, says Dave Shackleford, CTO of The Center for Internet Security and co-author of the virtual security benchmark.
As Rein says, "You can build antimalware and security controls into your virtual-machine gold builds, but you can't see what they're doing among themselves in their virtual networks. Nor can you monitor calls between hypervisor and virtual machines for anomalous behaviors. Are we to believe they're safe because [management vendors] say so?"
To address the management problem, Microsoft acquired Calista Technologies in January. It likely will add Calista's integrated virtualization management and security technology to its System Center Virtual Machine Manager software. What remains to be seen is whether virtual-machine makers that take on the management of their own systems would permit the visibility into machine behavior that's needed by IT executives like Rein.
For example, Novell's ZENworks Orchestrator life-cycle manager can tell you if a virtual machine spinning up from suspend, or sleep, mode is an approved virtual device. It can't monitor its virtual machines' behavior for anomalous findings and send alerts, however. For that, Novell defers to external tool providers, says Richard Reed, director of product marketing at the company.
Two such tools are Blue Lane Technologies' VirtualShield and Reflex Security's Virtual Security Appliance (VSA). They monitor for malicious traffic entering through the hypervisor and between virtual machines.
Rein says he is interested in the Reflex tool but is waiting for the company to come out with a component for his Microsoft environment. Reflex, in turn, says it is waiting for the official release of Hyper-V, expected late this year, before adding a Microsoft component. VSA is a virtual machine that sits on virtual networks watching for anomalous virtual-machine behavior. It currently supports VMware's ESX Server, Citrix XenSource and Virtual Iron Software's Virtual Iron.