Virtual Observer

How Delicate Is Your Virtual Egg Basket?

Server virtualization has taken us to places we've never been before, but there is some truth to that old adage about having seen it all before.

• By Mike Matchett
• 07/15/2013

Some have said there is nothing new under the sun, that it all comes around in circles. We think server virtualization has taken us to places we've never been before, but there is some truth to that old adage about having seen it all before. As has happened in many previous technology adoption cycles, first we struggle with assuring sufficient "correctness" and availability, then we work hard to guarantee performance, and as a third act, we have to eventually harden the solution to both internal and external threats.

With virtualization, this cycle is perhaps more acute in that the whole point is to aggregate many clients and users into one cost-efficient shared resource pool. And the corresponding infrastructure convergence of formerly disparate IT silos concentrates the number of subject matter experts and admins while expanding the end-to-end scope and control of this talented remainder.

Security Is the Third Stage
Security should never be an afterthought, but in our rush to get out ahead of the competition -- or even just survive economically to play another day -- we stand something up as quick as we can just to see if it can be done. Then as we come to rely on it for day-to-day operations, we discover that it matters when it falls over or performs badly.

Enter big systems management corrections with add-on monitoring, automation, and optimization solutions. But security concerns may still seem a vague threat and an acceptable risk until we start really leveraging the new technology for our mission-critical applications -- the most vulnerable "eggs" in our portfolio.

Many organizations have reached that third stage in virtualization whether they know it or not. There is an oft-touted 60 percent of workloads being virtually hosted these days. Even if the rest have shells too thin to risk floating them in the virtual pool, that 60 percent majority collectively represents a significant vulnerability. And many mission critical apps may have some key parts already in the virtual space. All it takes is one hacked virtual admin account and a whole company could be wiped out. A malevolent individual -- ex-employee or international spy -- could not only steal data but now whole virtual machines and then shut everything down, destroy whole environments including backups and data protection measures, and defeat disaster recovery.

Does cloud solve this problem? Actually to some extent it helps, because a compromised corporate account has no access to the service provider's infrastructure layer and most service providers have exceptionally high security data centers. Given the extra emphasis on ensuring multi-tenancy, applications running in most clouds are likely more secure than in most corporate data centers. But we think that the future is really in hybridization, so the elevated risk doesn't fully go away with cloud adoption.

Security Solutions for Vulnerable Virtualization
There are of course a lot of aspects to securing a virtual environment starting with controlling the external access points at the network, server, and application layers. As expected, there are lots of existing solutions to help here including solutions from the hypervisor vendors directly (e.g. VMware vCloud Networking and Security) and network-specific and -layered solutions from third parties (eg.. Cisco, Juniper, McAfee, Symantec, et al.) that also can span across multiple environments.  

With software-defined themes showing up everywhere these days (and yes, we agree the "software-defined" term is overused and misapplied by many), the implication is that environments are about to get even more dynamic. Catbird's approach offers an agile way to have security policies follow virtualized assets, and can ensure regulatory and compliance policies in highly dynamic deployments.

But there is still a big inside risk here. Despite role-based access policies, most virtual admins have "master key" access to a wide swath of vulnerable infrastructure. As a former Air Force Intelligence Officer I can't tell you about dark and dangerous secrets, but it’s common knowledge that the worst breaches of security happen due to mistrusted insiders. A solution like HyTrust aims directly at securing that risk by proxying all admin commands through their secure layer first, where controls, filtering, and auditing can be thoroughly imposed.

Security Specialization
We don't fear so much for the larger organizations with dedicated security specialists or cloud-hosted applications. It's the mass of companies with a few virtual admins and much of their IT virtually hosted on premise or in virtual private data centers. And especially those with converging infrastructures. Unfortunately there is no magic bullet and most security solutions impose friction and cost, but security needs to be at the top of the list. As much as we love focusing on the latest shiny advances in performance optimization, having all your data and apps just one admin password away from disaster is a risk you can't afford to take.