Those infrastructure changes can have a significant impact on security. Virtualized servers, which are hosted on the same physical box, can communicate directly with each other without any of their traffic hitting the physical network where traditional network security tools reside. Standard in-line security data tools, such as intrusion prevention, count on being in line with the conversation over the network. This lack of visibility can have unintended consequences: Tools for capturing network, database, and application reports from logs for regulatory compliance don't get all the information they need; host-based antivirus tools, if installed on numerous virtual servers, can bring the overall CPU utilization of the physical server to a crawl; and patch management apps may not offer good support for virtualized systems.
To make certain proper security controls are in place, companies have created logical security zones such as trusted, untrusted, and Internet-facing demilitarized zones. This way, virtualized instances that contain sensitive or proprietary information will be limited to physical hosts within zones ranked at the appropriate security level, with higher security settings in more trusted zones and loosely managed systems in the untrusted zones. These zones can be segmented much the same way security zones are used in physical networks. For instance, a network segment that supports the sales department of a pharmaceutical company would have much different security controls than research and development segments would have.
Yet attempting to secure virtualized environments in this way can significantly limit the utility of virtualization--being able to quickly add or shift virtualized instances to available host server resources. Because security zones lessen the number of virtual servers that can be consolidated, you'll need to add more physical servers for each zone.
"The benefits and ROI of virtualization naturally push organizations because they want the flexibly to allocate more databases, more Web servers, more application servers when needed," says analyst Antonopoulos. "But if you run out of capacity in the database pool, you can't shift demand to the application pool. You're now put in a difficult position of having to make explicit choices between business utility, flexibility, and ROI on one hand, and security on the other," he says.
Another challenge: The hardware capacity demands of running security software within multiple VMs, as well as on the physical host, can strain CPU loads. "Host-based security tools can work just fine, but you may not get the amount of consolidation you sought, and capacity-planning CPU cycles becomes even more important in virtualized environments," says Pete Lindstrom, a security analyst at research firm Burton Group.
As a workaround to this, companies have tried routing virtual server traffic through virtual switches out to the physical network, to be vetted by their traditional network security controls such as intrusion-prevention and anti-malware systems, and then back to the virtual server. But even this can get messy. "Trying to manage virtual system security the way you managed physical system security is both the best and worst answer," says Antonopoulos. "You scale that to any number of machines above a dozen, and the result is what I call 'VLAN spaghetti.' It's completely unmanageable."
To help its partners better integrate security into virtualized environments, virtualization stalwart VMware recently kicked off its VMsafe initiative. VMsafe is a set of APIs that permit security apps to attain a level of visibility into VMware's hypervisor--that thin layer of virtualization software that abstracts the operating system and apps from the hardware platform. The APIs let security vendors develop tools to block viruses and Trojans, monitor network traffic, build firewalls that integrate more tightly with VMs, and even improve patch management and perform vulnerability assessments. About 20 suppliers have expressed interest in VMsafe, including Check Point Software, McAfee, Symantec, and VMware parent EMC's RSA Security unit.
"VMsafe is a signal to the market that VMware is taking security seriously and that they're willing to work with third-party security vendors to bring their solutions to the virtualized environment," says Lindstrom.
That openness is a double-edged sword. "By giving security vendors access to directly interact with, and in some cases control, functions will bring virtualized generations of security toolsets, but it will also present some interesting attack vectors that can be exploited by people who love to take advantage of that same set of APIs," says Unisys' Hoff.
While the risks to virtualized environments are real, the tools and best practices for securing them are fast becoming real, too. "The security tools will mature," says consultant Hession. "We'll see the same level of rapid innovation from the startup security vendors. Those tools will be tested and proven in the market, and eventually become part of the network fabric." That can't happen soon enough for companies looking to capitalize on the business benefits of virtualization.
Illustration by Dan Page
The Right Security Tools