Virtualization promises to make IT departments more flexible, more efficient and -- perhaps most crucial in these tough times -- more frugal. But one advantage the technology doesn't provide is an escape from the need for strong security measures.
As soon as he began planning his Novell virtualization project, Noah Broadwater realized that he was looking at an initiative that would require both a continuation of existing security practices and an analysis of any perils that might be created by the new technology.
"It was evident that virtualization demanded a close look," says Broadwater, who is vice president of information services at New York-based children's media producer Sesame Workshop. "Above all, we had to make sure that we would be secure on all fronts."
Neil MacDonald, an analyst at Gartner Inc., says that virtualization is opening new doors for IT departments as well as for people who seek to tamper with critical data and services.
"Adopters can expect that virtualized software, like hypervisor software, will be attack targets," he says. "Therefore, virtualization security planning should be addressed at a project's inception."
Crash and Learn
With IT departments in today's crashing economy being asked to do more with less, virtualization's lure is becoming increasingly irresistible. But as some departments rush headlong toward the technology in an effort the stretch scarce dollars, the temptation arises to skimp on security.
Many thrifty managers believe that the same technologies currently used to protect conventional physical servers can simply be extended to virtualized environments. But MacDonald says that's a potentially calamitous assumption. He notes that the unwary could be trapped by threats in several areas, including software, administration, mobility, the operating system and network visibility. "There need to be policies to address these issues," he adds.
Broadwater takes some common-sense defensive steps, such as using firewall controls to limit user access and running a full array of security protocols and checks on each virtual server. In addition, Broadwater says he depends on his virtualization software vendor, Novell Inc., to supply a product that's resistant to intrusions and attacks. He says he worries about "holes in the virtualization software itself -- kernel attacks, someone attacking the host module or one of my guys making a mistake against the host server -- and then making sure that the full virtualization software is actually secure and is patched."