Server and desktop virtualization offers companies the ability to reduce costs and increase productivity. However, if the adoption and implementation is carried out without much thought for security, virtualization may lead to higher costs, and loss of production, according to research firm Gartner.

“Virtualization, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, a vice president at Gartner, in a statement.

Virtualization software allows users to simultaneously run multiple operating systems (OS), or multiple sessions of a single OS, on a single, physical machine – server or desktop. Regardless of the specific architecture, virtualization software has a layer that will be attacked and security strategies need to be put in place in advance, Gartner warns.

“Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won’t provide sufficient protections for VMs.”

Gartner analysts said the process of securing VMs must start before the VMs are deployed, and ideally, before vendors and products are selected, so that security and securability can be factored into the evaluation and selection process. During this process, organizations must consider these security issues in virtualized environments:

• Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.
• The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth.
• Patching, signature updates, and protection from tampering for offline VM and VM “appliance” images.
• Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.
• Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
• Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).
• Mobile VMs will require security policy and settings to migrate with them.
• Immature and incomplete security and management tools.

Existing virtualization solutions address some of the security gaps, but not entirely. In some cases, the tools and technologies for addressing some of the security issues are immature or nonexistent.

MacDonald suggest that organizations need to pressure security and virtualization vendors to plug the major security gaps.

It will take several years for the tools and vendors to evolve, as well as organizations to mature their processes and staff skills.

MacDonald advises the “would-be-adopters” that “knowledge of the security risks and the costs to address them must be factored into the cost-benefit discussion of virtualization. If these added costs are avoided, the risk of not making the necessary security investments must be accepted by the decision maker in the move to virtualization.”

Related:

Entry was posted on Wednesday, April 11th, 2007 at 12:11 am under Technology.

Read more entries by Ruben Francia.
Stumble It!