In April 2004 I wrote my first article on the topic of virtualization security. I was trying to bring attention to the security aspects of this "new" technology that was getting quite a bit of hype at the time. The hope was that this time security would not be an afterthought, that we would reverse the equine-escape/egress-closure sequence. The naiveté of youth!
Four and a half years later, virtualization is almost a mainstream technology. Our virtualization benchmark in the second half of 2008 showed rapid adoption among all industries. Server virtualization was in use by 93% of participants. More than 20% have achieved full adoption, which means that virtualization is their default platform for all new servers and they are converting all existing systems. More importantly, 78% of participants have virtualized production servers facing customers or users.
Surely it seemed that security would be a top issue in architecture, design and technology choice. After all, as with any new technology there are new security issues to contend with. Entire network infrastructures now exist inside the virtualization layer, connecting servers. New management systems allow near-instant provisioning, migration and de-provisioning of entire fleets of servers.
Server images are floating around on disk and are whizzing around networks. Live migration means that virtual server memory pages are also whizzing around on the network. New architectures, processes and management systems, as well as organizational upheaval, are all creating infinite possibilities for mischief. So we naturally asked (and have been asking every year since 2004) what companies were doing differently for security. Any tools? Any new architectures? Anything?
Once again, the answer surprised us (though perhaps it shouldn't). Only 9.6% of participants are deploying any security tools specially designed to deal with virtualization. Another 21.2% expect to do so within the next three years. A whopping 69.3%, though, have no plans at all to do anything specifically aimed at securing their virtual environments.
Where the imperatives of security won out, organizations have mostly accepted significantly reduced benefits from virtualization. They partition resource pools to match network segments, and force traffic among pools to pass through the existing network security infrastructure. They mostly use virtual LANs to achieve this, and they get less complete resource utilization as a result, and less flexibility in matching workloads to resources.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (5)
Surprised? Why?By Anonymous on January 21, 2009, 7:17 amProducts are driven by market demand. What you are observing is that customers are not chaning any of their behaviours. Security is still seen as insurance, thus...
Reply | Read entire comment
Proper vm management has many benefitsBy Rosen Sharma on January 26, 2009, 12:27 pmThere are also a lot of solutions to ensure integrity and proper configuration. For instance, Tripwire teamed up with VMware and created a free tool to do this:...
Reply | Read entire comment
Risks Really that Great?By Anonymous on January 27, 2009, 10:36 amIs it really the case that "entire network infrastructures now exist inside the virtualization layer?" Or that "live migration" is being employed on a widespread...
Reply | Read entire comment
When I think aboutBy Anon on February 17, 2009, 10:45 pmWhen I think about virtualization security it stresses me out. I like to cope by playing with my wifes juggs
Reply | Read entire comment
InterestingBy Anonymous on September 9, 2009, 10:11 pmThat is an interesting topic. I'm wondering if existing security vendors will just add virtualization security to their existing models. www.itosolutions.net VMware...
Reply | Read entire comment
View all comments