Virtual server sprawl highlights security concerns

LAS VEGAS -- Think server sprawl is bad now? Just wait till you experience virtual server sprawl. When users can clone a virtual machine with the click of a mouse, or save versions of applications and operating systems for later use, you're asking for trouble if IT doesn't maintain tight control, virtualization management vendor Embotics warned in a session at Interop Las Vegas Tuesday. (Look through our slideshow at other products shown at Interop.)

Server virtualization projects are driven by a desire for consolidation, yet the uncontrolled proliferation of virtual machines can result in the opposite, David Lynch, vice president of marketing for Embotics, said in a session called "Virtualization's Phantom Menace: Security."

Physical servers and software resources are wasted by virtual sprawl, which also burdens IT with more manual processes and increased security risk, Lynch said.

"The risk of sprawl is a lot higher in the virtual world than it is in the physical world," he said. "When you think of how common sprawl is in the physical world, that means we're going to see it even more in the virtual world."

Virtual sprawl isn't defined by numbers; it's defined as the proliferation of virtual machines without adequate IT control, Lynch said.

One Embotics customer found itself with more than 5,000 virtual machines and suspected many of them were no longer needed. IT figured out which ones were useless simply by shutting them down and waiting to see if anyone would "yell," Lynch said. Few users noticed when virtual machines were eliminated. It turned out 70% of them were obsolete, but were still consuming network resources and software licenses. 

Offline virtual machines present their own problem, in that automatic patching systems don't recognize them, leaving them without critical updates, Lynch said. He recommended that IT shops set policies limiting the amount of time a virtual machine is allowed to stay offline. If it's offline for a period of, say, 30 days, just eliminate it, he said.

The central problem behind sprawl – that virtual machines are so easily generated that IT has trouble tracking how many there are, and when and where they are deployed – only serves to fuel the special security challenges that come with server virtualization.

Most security products today weren't built for the fluid environments of virtualization, Lynch said. Security problems you've already solved in the physical world have a way of cropping up again in the virtual one. The hypervisor is essentially another operating system being introduced into the data center, yet it was introduced without rigid inspection. "Hypervisors came in the back door as an operations tool under the guise of server consolidation," Lynch said. "It never went through the kind of inspection that other technologies have coming into the data center."

Given the hypervisor's access to multiple virtual machines, it's an obvious target for attackers. "If compromised, you can get access to a range of servers," Lynch notes.