Strategic Security: Server Virtualization - InformationWeek
12:15 PM
Joe Hernick
Joe Hernick
Connect Directly

Strategic Security: Server Virtualization

VMWare's VMsafe program is bringing more security options to the world of server virtualization.

Server virtualization is sweeping the data center, but the cold, hard truth is that few of these initiatives have incorporated security during design, testing, or deployment. That's a problem, because you can't just transfer traditional security policies and practices used in the physical world.

Physical-world security is often tied to "physical" attributes--such as MAC addresses, server identities, and IP addresses--that aren't relevant in the fluid world of virtual machines. To make matters worse, security pros and VM admins alike can find themselves sniping from opposing camps rather than working together to design and implement an efficient, secure virtualization infrastructure.

InformationWeek Reports

Meanwhile, hypervisors and the virtualization layer eventually will be compromised. Despite the best efforts of PR teams to convince us otherwise, hypervisors aren't magical constructs. They're just software, and no code is free of errors or vulnerabilities.

Organizations also may introduce their own vulnerabilities. Virtual machines can communicate with one another on the same physical host without that traffic ever passing through--or being inspected by--firewalls and intrusion-detection systems. If an attacker compromises one VM, he can use it as a base of operations to probe and invade others on the same server without the security or operations team ever knowing.

The danger is inadvertently putting sensitive or regulated data at risk: An administrator might reconfigure host network interface cards for performance reasons and end up placing a customer database and Web-facing server on the same card. Automated VM transfers, in which a virtual machine hops from one physical server to another, may violate security policies or compliance rules if a VM moves outside a secure domain. A virtual instance of a Web server that was deployed for a quick test may sit, unpatched and unmonitored, on the same virtual LAN as critical production VMs, just waiting to be infiltrated by attackers.

That's a long list of issues for security professionals and virtualization administrators to tackle. The industry, recognizing that major security disruptions could choke the growth of virtualization, are taking steps to make virtual machines and inter-VM traffic more visible and better secured.

A Matter Of Security
The theme for 2009 is stagnation vs. innovation.
The most prominent effort comes from VMware, whose ESX hypervisors dominate the server virtualization market. The company announced the VMsafe program in spring 2008. VMsafe provides a set of APIs that vendors can use to extend security and monitoring capabilities into the virtual realm--or at least, into VMware's realm.

The VMsafe security APIs run at the hypervisor and machine monitoring layer, allowing security vendors to hook into all activity occurring in your virtualized world to monitor traffic, enforce policies, and watch for suspicious activities on the hypervisor and virtual machine guests. Arguably, VMsafe and APIs from other hypervisor vendors will, in the long run, allow insight and monitoring capabilities beyond what can be done with physical servers.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll