Securing virtual environments

December 30, 2009 2:23 pm

In the main, many IT managers have made the mistake of thinking that their current physical security systems are enough for their new virtual servers. For instance, a survey by YouGov in the UK this year discovered that an alarming two out of five IT managers might have left their companies open to attacks from hackers or malware because they assumed that their virtual servers had security in-built.

The fact is, they don’t. Many experts point out that the virtual servers companies install are far less secure than the physical servers they have replaced. The problem lies with the dual misconceptions that virtual servers come with robust security tools pre-installed and that existing firewalls and intrusion detection software will protect virtual servers. The problem there, however, is that many virtual servers running inside a physical server cannot be seen by those tools.

Key server differences

“Virtual and physical mainly differ because of both the mobility and the lack of physical security inherent in virtualisation,” explains Kurt Roemer, Chief Security Strategist at Citrix. “These key differences require changes in administrative, authentication, encryption and general lifecycle management practices. Because virtual environments are so easy to setup, they are often provisioned with minimal security. As these virtualised environments grow, the lack of security grows with them. It is critically important that anticipated security needs are designed in as the virtual environment is architected, so that security persists through growth.”

According to Bob Kalka, Director of Channels, Enablement at IBM ISS: “There are two main areas of issues that come up that are unique to the virtualised environment. Firstly, it requires a retraining of staff, not just in virtualisation security but in virtualisation itself. The other point is visibility. All the tools that are out there do a great job of protecting physical boxes…but as soon as you get into the virtualised world where you are taking multiple physical boxes and moving them to a single physical box, those tools can still look at what’s coming into the physical box but they can’t see what is happening between the virtual machines.”

Educating users

So how do you go about implementing security? Kalka agrees that it’s not just about tools, it’s about educating the users and changing the culture to understand virtual environments. It’s also about putting in place the policies necessary to control the rollout of virtual servers throughout your business. Since they are relatively easy for non-IT people to create, many companies have found that departments are creating their own virtual servers without the involvement of IT.

“Security is not something customers think about immediately but that is happening now,” says Omar Shihab, Program Manager at IDC MEA. “Some of the security challenges are specific but most of them are common to the physical environment. You still need to have firewalls and intrusion systems. One of the main challenges is that these virtual machines are like files – no longer physical. However, when customers become comfortable they see how easy it is to deploy virtual servers. The challenge can be managing lots of users creating lots of virtual servers. Put in place policies from the IT department to control who can create these servers and what permissions they need. Education is very important.”

Virtual security add-ons

Virtualisation is all about planning and in the words of Gartner, “starting small, but thinking big”. Assuming you have planned your first steps into deploying virtual servers, you will need to look at security solutions for your virtual environment. Right now, many of those solutions come from smaller vendors but the larger security giants are adapting, albeit slowly.

Roemer says: “Virtual firewalls, IDS/IPS, encryption products and other security solutions are available, albeit primarily from smaller vendors. Traditional security vendors have taken a cautious approach to virtualisation, and have aligned their physical security solutions to virtualisation over the last few years.”

If you are using mainstream security products, check with your vendor to see if there are virtual add-ons before looking for options from newer, untested vendors. This can prove cheaper and safer in the long run.

The Middle East and Africa are just starting on the virtualisation wave, which gives many businesses a chance to learn from the mistakes of businesses in Europe and the US. Shihab explains: “Virtual servers are still in their infancy here and adoption is low so far. Less than 10% of servers shipped here in 2009 were virtualised. In Western Europe the figure is 25%.”

He says that things are picking up fast though, particularly in the enterprise sector where budget constraints and cost-cutting brought on by the global economic collapse are making virtual servers a very attractive investment. That said, making security a priority from the outset of any virtual server project is the key to gaining all of those well-publicised cost-savings benefits without compromising your business data.