Virtualization Implementation Has Real Risk

September 14, 2009 by ADMIN

Share |

By Cara Garretson, Veteran Business and Technology Journalist

Now that the majority of enterprises have at least tested the waters of virtualization with hopes of consolidating hardware and cutting costs, many are starting to realize that they must consider the implications this technology is having on other aspects of their IT infrastructure.

Issues surrounding virtualization deployment, specifically the security of these emerging technologies, are hot topics at the VMWorld conference being held in San Francisco this week.

As organizations push virtualized systems out of the test phase and into production environments, they are beginning to see how virtualization influences established IT systems, architectures and practices.

Some say virtualization adopters are being caught somewhat by surprise.

“Much of the focus has been on the technologies of virtualization rather than the operational, organizational and economic context,” says Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research, in a report on virtualization risk.

He says approximately a quarter of the organizations deploying the technology are doing so on production systems, yet “most companies do not have a good understanding of the real risks surrounding virtualization.”

Virtualized environments are inherently less secure because they cannot be managed with the same level of success by traditional security approaches, says Antonopoulos, and new approaches that take virtualization into consideration are still evolving.

RSA Security issued a report last Tuesday that looked at one subset of virtualization security—compliance of virtual systems.

RSA warned that organizations leveraging virtualized systems should ensure they are fully integrated with overall systems for compliance, be they for government, industry, or corporate regulations.

In its security brief (available for download from www.rsa.com), RSA outlines best practices for compliance in a virtualized world, including issues such as platform hardening, configuration and change management, administrative access control, and audit logging.

The report also outlines considerations such as using access control to separate an administrator’s role within the virtualized software and ensuring that patch management procedures take into consideration virtualization software as well as virtual machines.

In another study released this week, identity management vendor Centrify reported that security concerns could slow down the adoption of virtualization.

Survey respondents said security, compliance, and operational issues were the three top concerns regarding virtual systems.

Specifically, the respondents indicated that although they were implementing security controls for their virtual systems, they are less than confident about the efficacy of these controls.

One respondent said that the pressure to adopt virtualization because of the promised cost savings means his company is implementing the technology without adequately evaluating the security risk.

“The diversity of virtual platforms in organizations will create new vulnerabilities,” said Frank Cabri, vice president of marketing and product management at Centrify, in a statement.

“Because creating a new server in a virtual environment is as easy as copying a file—and in some instances the software is free—the rigor that used to accompany setting up a server has been bypassed. Ensuring appropriate access controls and privileges is critical in this environment.”

Another key area to consider when deploying virtualization is disaster recovery.

According to the results of a survey conducted by Symantec in June, only 36 percent of respondents said they back up their data stored in virtual environments.

And only approximately one-fourth of respondents said they test virtual servers as part of their disaster recovery plan.

Cara Garretson is a veteran business and technology journalist with over 15 years experience writing and editing for print and online publications, including a position as Senior Editor for Buyer’s Guides at Network World and as a Senior Writer at Red Herring. Cara contributes regularly to CIOZone.com.

CIOZone.com is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author, CIOZone.com and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.