The race is on. As organizations successfully slash the costs associated with buying, powering, and maintaining physical servers by embracing virtualization, are they leaving their systems vulnerable? Maybe so. Companies' efforts to virtualize are moving beyond the simple consolidation of servers and applications to fewer physical boxes, but there's an additional risk that can parallel the reward. And the risks lie not only where many might suspect--with the hypervisor or virtualization software itself--but also with the impact virtualization can have on traditional network and security controls.

Virtualization software, primarily the hypervisor, is no different than any other software application: It's bound to have defects and security bugs. What sets hypervisors apart is the risk of so-called "hyperjacking," a successful attack that leads to a compromised hypervisor, giving an attacker unfettered access to all virtual machines on the physical server. This could be quite the compromise, given that anywhere from a handful to dozens of VMs could be running on a single host.

While the consequences of a compromised host can be dire, it's generally thought that the vulnerabilities of the hypervisor are the least of a security professional's worries. "Virtualization security has nothing to do with the security of the hypervisor," says Andreas Antonopoulos, an analyst at Nemertes Research. "It has to do with the fact that we're fundamentally changing the IT architecture, operational patterns, deployment life cycles, and management methods of our servers. These issues will create more security issues for organizations than the hypervisor itself."

Along with the flexibility and agility gained through virtualization comes a security blind spot--the loss of visibility into network traffic. "You lose granularity on the network traffic between your virtual servers because that traffic never leaves the physical box, and your traditional security tools won't be able to analyze the traffic," says Lloyd Hession, an independent IT security consultant and former chief information security officer at financial network services firm BTRadianz.

This lack of visibility into virtual network traffic is only likely to grow more troublesome as organizations move beyond simply stuffing less-than-mission-critical systems onto fewer physical hosts. More companies are beginning to manage more virtualized servers in the data center, and these servers are running mission-critical applications. Research firm IDC predicts that companies will invest nearly $11.7 billion in virtualization services by 2011, up from $5.5 billion in 2006.

Consider the experience of health care industry software services provider Quantros, which provides hospitals and health care providers with on-demand software that helps manage patient safety tracking, accreditation, and compliance. Last year, the company began investigating ways it could revamp its then-aging network. "Our network was expanding, and it was becoming cost-prohibitive to keep adding new physical servers," says Bryan Rood, director of Internet data center services at Quantros.

To help save costs while expanding its network, Quantros turned to VMware's ESX server virtualization platform to virtualize a number of its Web and development servers. "This was an ideal area of our infrastructure to start, and there was a strong business case for virtualizing these systems," Rood says.

BUILD ON SUCCESS
Following the initial success, more virtualization efforts got under way, including virtualizing systems used for quality assurance. It soon became clear that Quantros' servers, which today consist of 55 physical and 40 virtualized servers, faced security challenges. First, traditional network-based intrusion-prevention systems wouldn't be able to protect multiple virtual servers on a single host from attacks on each other. And maintenance and patching cycles grew challenging, as they always do. Also, considering the ease at which virtual servers can be dispatched, Rood needed a way to make sure each virtual system adhered to the company's strict security and patch-level policies.

Quantros turned to Blue Lane Technologies and its ServerShield, which not only successfully identified and protected Quantros' physical severs, but all of the virtualized instances on those servers as well, Rood says. Blue Lane, which has its roots as a virtual patch proxy, is enhancing its technology to better protect virtual environments. Last year, the vendor made available its VirtualShield, which is specifically designed for VM-to-VM traffic-flow analytics and enforcement.

These are the types of security challenges that companies turning to virtualization need to be prepared for. "Most companies, when they started down this path, did so for their lab and testing systems. They found they could save some money and get additional business agility," says Kurt Roemer, chief security strategist at Citrix Systems. "But they didn't ask how virtualization would change their existing network infrastructures. The traditional controls are now abstracted."

That has security pros and audit teams a bit prickly. "They want to see how these virtualized environments will function and deliver the same security posture, availability, latency, and deliver on the SLAs that they enforced prior to moving to virtualization," says Chris Hoff, chief architect of security innovation at Unisys.

(click image for larger view)