The Issue:

Server virtualization is one of the most-discussed technologies of the past
few years. We find that although some organizations are already generating
substantial savings with virtualization in their production environments, the
majority of participants in Nemertes’ Security and Information Protection
benchmark research are not yet using virtual servers in production. They plan to,
however, looking for the increased resource utilization, broader platform
standardization, and deeper management automation that server virtualization
enables.

As virtual servers move into production, IT needs to address security and
compliance issues. Unfortunately, most participants in the benchmark, when
asked how they secure their virtual servers, say they treat them like physical
servers as much as possible! Sensibly, they use host-based security such as antivirus
and anti-malware agents. However, they also use network tools to protect
virtual servers exactly as if they were simply very thin, very densely stacked rackmount
boxes.

While treating virtual servers simply as dense blades may work as a system
administration policy, it is lacking as a security policy, as it fails to address the
added layers of complexity virtualization creates and the decreased visibility of
inter-VM network traffic. In a virtual environment there are also virtual network
switches. These software switches offer VLAN capabilities and can be stacked to
create quite complex virtual networks. Virtualized servers might contain entire
virtual network architectures with n-tier application components such as
application servers, Web servers, even databases contained inside the virtual
machines. From the perspective of a traditional security appliance sitting outside
this virtual network architecture, none of the network traffic between these
servers is visible or auditable.

If network traffic traverses from virtual switch to virtual switch it may
never touch a physical switch. The virtual environment becomes almost
completely opaque. A security breach in any one of the virtual servers can go
unnoticed, and worse, it can spread unencumbered to other virtual machines.

Another key issue with virtualization is compliance. The common element
most regulatory frameworks impose is a requirement to control and audit who
has accessed what and when. This “who, what, when” question is often addressed
with network enforcement and monitoring appliances. Unfortunately these
traditional security measures are, for the most part, not virtualization-aware and
therefore have limited or no visibility into the traffic traveling between virtual
servers. Thus, compliance becomes a critical barrier to adoption of virtualization
and is cited often in our research as a reason why virtualization adoption is
aborted or stalled.

Finally, virtualization encourages server mobility. Dynamic movement of
virtual servers becomes a key enabler of business agility and recoverability. The
ability to re-locate servers on-the-fly drives adoption of virtualization in many
enterprises and SMBs. Whether used to streamline operations, as an exit strategy
from a hosting provider or as a means to recover from a disaster, server mobility
is highly desirable. But mobility poses additional problems for static security
systems. If the security “context” (which is composed of ACLs, content
inspection, anti-virus, SSL) cannot move with a server, mobility is hampered.
Traditional static security solutions thus become a barrier to the full adoption
and the full ROI of server and service virtualization.

Read this Issue Paper: Virtualization Best Practices

Non Clients: Nemertes Issue Papers are available to clients only. If you're not a
client and would like to receive a copy of the Issue Paper, please
contact us.