12:15 PM
Joe Hernick
Joe Hernick
Connect Directly

Strategic Security: Server Virtualization

VMWare's VMsafe program is bringing more security options to the world of server virtualization.

Server virtualization is sweeping the data center, but the cold, hard truth is that few of these initiatives have incorporated security during design, testing, or deployment. That's a problem, because you can't just transfer traditional security policies and practices used in the physical world.

Physical-world security is often tied to "physical" attributes--such as MAC addresses, server identities, and IP addresses--that aren't relevant in the fluid world of virtual machines. To make matters worse, security pros and VM admins alike can find themselves sniping from opposing camps rather than working together to design and implement an efficient, secure virtualization infrastructure.

InformationWeek Reports

Meanwhile, hypervisors and the virtualization layer eventually will be compromised. Despite the best efforts of PR teams to convince us otherwise, hypervisors aren't magical constructs. They're just software, and no code is free of errors or vulnerabilities.

Organizations also may introduce their own vulnerabilities. Virtual machines can communicate with one another on the same physical host without that traffic ever passing through--or being inspected by--firewalls and intrusion-detection systems. If an attacker compromises one VM, he can use it as a base of operations to probe and invade others on the same server without the security or operations team ever knowing.

The danger is inadvertently putting sensitive or regulated data at risk: An administrator might reconfigure host network interface cards for performance reasons and end up placing a customer database and Web-facing server on the same card. Automated VM transfers, in which a virtual machine hops from one physical server to another, may violate security policies or compliance rules if a VM moves outside a secure domain. A virtual instance of a Web server that was deployed for a quick test may sit, unpatched and unmonitored, on the same virtual LAN as critical production VMs, just waiting to be infiltrated by attackers.

That's a long list of issues for security professionals and virtualization administrators to tackle. The industry, recognizing that major security disruptions could choke the growth of virtualization, are taking steps to make virtual machines and inter-VM traffic more visible and better secured.

A Matter Of Security
The theme for 2009 is stagnation vs. innovation.
The most prominent effort comes from VMware, whose ESX hypervisors dominate the server virtualization market. The company announced the VMsafe program in spring 2008. VMsafe provides a set of APIs that vendors can use to extend security and monitoring capabilities into the virtual realm--or at least, into VMware's realm.

The VMsafe security APIs run at the hypervisor and machine monitoring layer, allowing security vendors to hook into all activity occurring in your virtualized world to monitor traffic, enforce policies, and watch for suspicious activities on the hypervisor and virtual machine guests. Arguably, VMsafe and APIs from other hypervisor vendors will, in the long run, allow insight and monitoring capabilities beyond what can be done with physical servers.

1 of 2
Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.