In April 2004 I wrote my first article on the topic of virtualization security. I was trying to bring attention to the security aspects of this "new" technology that was getting quite a bit of hype at the time. The hope was that this time security would not be an afterthought, that we would reverse the equine-escape/egress-closure sequence. The naiveté of youth!

Four and a half years later, virtualization is almost a mainstream technology. Our virtualization benchmark in the second half of 2008 showed rapid adoption among all industries. Server virtualization was in use by 93% of participants. More than 20% have achieved full adoption, which means that virtualization is their default platform for all new servers and they are converting all existing systems. More importantly, 78% of participants have virtualized production servers facing customers or users.

Surely it seemed that security would be a top issue in architecture, design and technology choice. After all, as with any new technology there are new security issues to contend with. Entire network infrastructures now exist inside the virtualization layer, connecting servers. New management systems allow near-instant provisioning, migration and de-provisioning of entire fleets of servers.

Server images are floating around on disk and are whizzing around networks. Live migration means that virtual server memory pages are also whizzing around on the network. New architectures, processes and management systems, as well as organizational upheaval, are all creating infinite possibilities for mischief. So we naturally asked (and have been asking every year since 2004) what companies were doing differently for security. Any tools? Any new architectures? Anything?

Once again, the answer surprised us (though perhaps it shouldn't). Only 9.6% of participants are deploying any security tools specially designed to deal with virtualization. Another 21.2% expect to do so within the next three years. A whopping 69.3%, though, have no plans at all to do anything specifically aimed at securing their virtual environments.

Where the imperatives of security won out, organizations have mostly accepted significantly reduced benefits from virtualization. They partition resource pools to match network segments, and force traffic among pools to pass through the existing network security infrastructure. They mostly use virtual LANs to achieve this, and they get less complete resource utilization as a result, and less flexibility in matching workloads to resources.