Virtualized Systems Can Be A Security Risk: Analyst
That was the message from Gartner Fellow Neil MacDonald in his "Securing Virtualization, Virtualizing Security" presentation this week at Everything Channel's Midsize Enterprise Summit in Miami.
MacDonald's argument is that most virtual machines being deployed by IT departments today aren't as secure as physical systems. Not that virtualization is inherently less secure, MacDonald was careful to say, but most virtualization technology isn't being deployed in a secure way.
Several times during his presentation MacDonald passionately argued that many suppliers of virtualization and security technology aren't stepping up to the plate and providing the same kinds of protection they provide for physical systems. "The bad news is most of the big guys are still missing in action," he said.
One apparent exception is VMware, which MacDonald pointed out now offers its VMsafe and vShield software to improve the security of its VMware virtualization software.
MacDonald said that generally speaking, hypervisor-based virtual machine monitoring technology is safer than older "hosted virtual machine monitoring" software. He presented a list of what he considered to be the biggest security threats to virtualization systems.
Virtualized systems, as with operating systems, have vulnerabilities that can be exploited by hackers. But tools for patching virtualization software or even detecting when systems have been compromised are few and far between. "The vendors don't have a lot of answers here," he said, recommending that IT managers be sure to apply to virtualized systems the same vulnerability assessment/patch management processes they use for physical systems.
Another problem is that virtual systems have internal virtual networks and sometimes communicate between themselves -- even when they shouldn't -- and IT managers may not be aware of it. And when tools for securing and managing virtual systems are available, they are so different from tools for managing physical systems that the odds of system misconfiguration increase. "It just compounds the chances that someone is going to make a mistake," MacDonald warned.
Security and management policies for virtual systems must be dynamic and not tied to physical assets, MacDonald cautioned. He recommended keeping the host operating system "thin and hardened" and said a general-purposeoperating system shouldn't be used as the foundation for virtualization software.
And, he said, businesses should take some of the savings they generate through virtualization and invest it in their security efforts.