Risky Business

(Note: this is a guest blog from a virtualization vendor. We do accept guest blogs if the content is relevant to our readers, and no mention of a vendor's products is made in the blog. These have to be straight information, with absolutely no marketing spin or hype. Contact me if you would like to contribute. -- Keith Ward)

Anyone who has experienced server sprawl knows how expensive it is in terms of resources. But when it comes to the virtual world there is another aspect that must be considered -- security.

Many organizations treat virtual servers similar to how they treat physical servers, and while they have a lot in common, there are some significant and risk-inducing differences.

Virtual Machines are Different

The first difference is subtle -- Identity. A physical server has a specific identity tied to its physicality that is usually attributed to the actual hardware. A VM, on the other hand, not only lacks the physical identity but can be "cloned" at the click of a mouse, producing duplicates of the same server.

This lack of verifiable identity makes it difficult to enforce corporate policies, or even recognize authorized VMs from unauthorized VMs. This potentially allows unauthorized or "rogue" VMs to creep into an environment unnoticed.

Another significant difference is mobility. Physical machines rarely move. Virtual machines, on the other hand, move a great deal, either through planned (or unplanned) maintenance, or through the agency of a growing number of software tools (e.g., load balancing tools that redistribute VMs based on host loads). VMs also tend to change state (e.g., powered on or off) more than their physical counterparts -- another aspect of mobility.

Traditional Control and Security Tools Do Not Work Very Well

Lack of identity and increased mobility create significant challenges for the traditional data center management tools. VMs can be counted more than once as they move through the environment, or not counted at all if they cannot be seen (i.e., are offline or just not visible).

Traditional Security Solutions Do Not Work Very Well

Some of the problems that you have already solved in the data center can become "unsolved" in the virtual world. For example: traffic between VMs on the same host is invisible to the "outside", and consequently not inspected by malware checkers or IPS/IDS systems, creating "points of invisibility".

Some security systems need to know what they are protecting and where it resides. This works well when things do not move, and do not work well in a mobile environments.

VM management Tools Do Not Track VMs

Most of the VM management tools provided by virtualization vendors focus on what the environment looks like in real time. Frequently the management and tracking of VMs is done manually, making it prone to error and difficult to audit, and expensive to produce adequate reporting.

Compliance Standards Can Be Compromised

Data protection and application separation standards can be difficult to maintain in a virtual environment where the servers are mobile. They may be deployed correctly with care or they will not stay where you put them.

For the most part, corporate IT auditors are not aware of the differences between physical and virtual servers. But when they do become aware, they need to be in control at the time of the audit, while also demonstrating control over the whole audit period.Do not wait until they are breathing down your neck before considering the risks detailed here.

Posted by Keith Ward on 04/24/2008 at 12:48 PM