It's Time To Get Serious About Virtualization Security

Server virtualization was one of the hottest IT trends in 2009. Unfortunately, in the race to keep up, both vendors and their customers may be overlooking important security concerns.Last January, NetworkWorld columnist Andreas Antonopoulos noted that virtualization was "almost a mainstream technology." Certainly, he asked, shouldn't the companies using virtualization technology understand both the benefits and the risks they face? Surely it seemed that security would be a top issue in architecture, design and technology choice. After all, as with any new technology there are new security issues to contend with. Entire network infrastructures now exist inside the virtualization layer, connecting servers. New management systems allow near-instant provisioning, migration and de-provisioning of entire fleets of servers.

Server images are floating around on disk and are whizzing around networks. Live migration means that virtual server memory pages are also whizzing around on the network. New architectures, processes and management systems, as well as organizational upheaval, are all creating infinite possibilities for mischief. So we naturally asked (and have been asking every year since 2004) what companies were doing differently for security. Any tools? Any new architectures? Anything?

According to Antonopoulos, less than one company in ten surveyed was "deploying any security tools designed to deal with virtualization." More than two out of three firms had "no plans at all to do anything specifically aimed at security their virtual environments."

Those numbers reflect a stunning lack of knowledge regarding the unique security environment that companies must navigate when they adopt virtualization technologies.

Fast forward to last week, when the publication revisited the topic -- this time with a focus on the vendors themselves. While some companies are making progress in virtualization security, including the development of dedicated security APIs and new third-party security tools, the overall lack of progress remains both surprising and disturbing to many experts.

Don't Miss: NEW! Virtualization How-To Center

It's easy -- and correct -- to take vendors to the woodshed for this poor showing. But that doesn't let their customers off the hook.

Too many IT professionals think that isolating their virtual servers with virtualized LANs protects them against external security threats. And too many think that a bare-metal hypervisor is immune to the security flaws associated with a full-scale server OS.

Both assumptions are wrong. History proves that when a new technology -- any technology -- hits the IT mainstream, attackers will sit up, take notice,and rise to the challenge. It's a question of when, not if, the honeymoon will end.

Companies that use server virtualization need to take security just as seriously as they would with a physical server infrastructure. They need to pressure vendors to treat security concerns as a deadly serious business, rather than looking the other way. And when necessary, they need to vote with their checkbooks to persuade vendors that they mean business.