Solutions provider takeaway: Pay close attention to customers' server virtualization implementations, with an eye on virtualization security risks. Learn how a poorly configured virtual machine can cost a company a significant amount of money.
With the economic downturn in full swing and no real relief in sight, companies are slashing IT budgets and relying more than ever on server virtualization technologies. With all of this activity around virtualization, one has to wonder about the possible security risks that these implementations can cause. If a virtualization solution hasn't been implemented correctly, companies may have to spend significant amounts of money on audit compliance remediation or recovering lost data.
Companies driving toward physical system consolidation with server virtualization are faced with a major dilemma. Many servers exist on different networks or are multi-homed between those networks, which presents a challenge when companies implement virtualization. Do they consolidate servers from different networks, such as an internal corporate network and a DMZ network? Or should a system that holds customer data be on the same physical hardware as a development system?
In theory, and quite often in practice, the answer is yes. They can be on the same server hardware and still be secure. Best practices when designing your host implementation are to have a dedicated network card for host management traffic and dedicated network cards for your virtual networks, which isolates the two. When you create a virtual switch and assign a network card to that switch, only machines that are connected to that switch can communicate with each other and the outside world. Even the host system has to communicate through the switch to communicate with the clients.
You can also create a switch that isn't associated with a network card. In that case, only the virtual machines on that switch can communicate with each other. And when you add VLAN tagging into the mix of networking options for your guests, the complexity of your networking stack increases.
Pay close attention to your customers' regulatory compliance requirements when addressing server virtualization security. Depending on the regulations that apply, running virtual machines that have protected information on them may not be allowed.
With the complexity of virtual machine networking, configuration management is more important than ever -- especially if your customers have chosen to run a mix of production, testing and support systems on a single virtualization platform. A misconfigured virtual machine could expose sensitive corporate data or confidential information, such as health records or credit card data. Tracking and reporting changes to the virtual machine and the host system is crucial to a successful virtualization implementation. A virtual machine that is added to the wrong switch or VLAN can have a significant effect on your customers' bottom line.
For quite some time, virtualization vendors have said that the hypervisor is pretty secure. With the release of microkernel hypervisors there has been a significant amount of banter between vendors about how they are even more secure. But there has also been much concern over hypervisor architecture -- that if a flaw is exploited in the hypervisor, it could expose your host and guest machines. When it comes down to it, whoever owns the hypervisor will ultimately own the machine. Companies such as Catbird Networks, IBM and VMware are working on technologies that will help improve server virtualization security and eliminate risks at the hypervisor level.
As of the writing of this article, there have been very few real exploits of virtual environments. But that doesn't mean all virtual environments are safe. The wrong configuration or poorly written application code can still leave a virtual machine open for exploit. By conducting assessments and determining the risk of mixed workloads -- along with using configuration management tools, network access control, intrusion detection and prevention systems and other tried-and-true security technologies -- you can help your customers' IT security admins sleep a little better at night.