Securing virtual environments (page 1 of 2)

In the main, many IT managers have made the mistake of thinking that their current physical security systems are enough for their new virtual servers. For instance, a survey by YouGov in the UK this year discovered that an alarming two out of five IT managers might have left their companies open to attacks from hackers or malware because they assumed that their virtual servers had security in-built.

The fact is, they don't. Many experts point out that the virtual servers companies install are far less secure than the physical servers they have replaced. The problem lies with the dual misconceptions that virtual servers come with robust security tools pre-installed and that existing firewalls and intrusion detection software will protect virtual servers. The problem there, however, is that many virtual servers running inside a physical server cannot be seen by those tools.

Key server differences

"Virtual and physical mainly differ because of both the mobility and the lack of physical security inherent in virtualisation," explains Kurt Roemer, Chief Security Strategist at Citrix. "These key differences require changes in administrative, authentication, encryption and general lifecycle management practices. Because virtual environments are so easy to setup, they are often provisioned with minimal security. As these virtualised environments grow, the lack of security grows with them. It is critically important that anticipated security needs are designed in as the virtual environment is architected, so that security persists through growth."

According to Bob Kalka, Director of Channels, Enablement at IBM ISS: "There are two main areas of issues that come up that are unique to the virtualised environment. Firstly, it requires a retraining of staff, not just in virtualisation security but in virtualisation itself. The other point is visibility. All the tools that are out there do a great job of protecting physical boxes...but as soon as you get into the virtualised world where you are taking multiple physical boxes and moving them to a single physical box, those tools can still look at what's coming into the physical box but they can't see what is happening between the virtual machines."

Educating users

So how do you go about implementing security? Kalka agrees that it's not just about tools, it's about educating the users and changing the culture to understand virtual environments. It's also about putting in place the policies necessary to control the rollout of virtual servers throughout your business. Since they are relatively easy for non-IT people to create, many companies have found that departments are creating their own virtual servers without the involvement of IT.

"Security is not something customers think about immediately but that is happening now," says Omar Shihab, Program Manager at IDC MEA. "Some of the security challenges are specific but most of them are common to the physical environment. You still need to have firewalls and intrusion systems. One of the main challenges is that these virtual machines are like files - no longer physical. However, when customers become comfortable they see how easy it is to deploy virtual servers. The challenge can be managing lots of users creating lots of virtual servers. Put in place policies from the IT department to control who can create these servers and what permissions they need. Education is very important."

Virtual security add-ons

Virtualisation is all about planning and in the words of Gartner, "starting small, but thinking big".