Virtualization enables businesses to do more with less. It enables SMBs to level the competitive playing field. And security has a lot to gain from virtualization. But virtualization has a lot to lose if it has no security controls.
Consider an example. At a basic level, security in the virtual world has the physical layer abstracted. Thus, a single physical firewall can be partitioned into multiple virtual firewalls to serve different administrative domains or applications.
But the real challenge, and the reason security and virtualization are discussed a lot today, is that server virtualization has moved beyond the development environment and into production. In a production setting, many of the ideas that seemed great in development are running into objections from security teams and auditors.
Questions arise, such as: “So, you took the three-tier architecture with firewalls and collapsed it into a single server pool? How are you controlling between the virtual machines?" The on-demand, virtual-moving dream of dynamic servers smacks hard into the static, inflexible reality of security-by-physical architecture.
Such issues lead to the conundrum: Is security going to thwart your business agility and new computing paradigms? Or are you going to find more dynamic way of doing security? Security virtualization is therefore more about making security infrastructure (hardware, software or both) flexible enough to co-exist and contribute to a virtualized environment.
Security in a virtualized environment
In a virtualized environment, some of the old concepts have to go: IP addresses do not identify servers because servers can be redeployed on-the-fly to a different subnet. So your “IP A.A.A.A can send packets to IP B.B.B.B" access control design is no longer relevant or helpful. What was at “IP A.A.A.A” has moved to a different subnet/data center/continent.
Dynamically allocated virtual servers need dynamically allocated virtual security. Maybe it's software in the virtual machine in the hypervisor, as a virtual switch I/O path plug-in, or some combination of software and hardware. But it cannot be a ring of physical appliances surrounding the pool of servers and trying to make sense of three dozen VLAN segments.
One approach from a vendor is VMware's VMsafe, which uses VMware's APIs to enable security vendors to plug new versions of their products into the hypervisor, giving them the opportunity to create tight hooks into the virtual environment with greater visibility and dynamic management over client virtual machines.
Expect a lot of transformation this year around leveraging VMsafe and moving from just protecting the virtual layer as if it were a normal machine to really exploiting the benefits of introspection and really being ready for the mobility that comes with a virtual data center.
At the core, security requirements don't change in a virtual environment, but must be adapted to work effectively in it. Most importantly, that means effective management and maintaining correct configuration settings and efficient change control. Virtualization is also the perfect opportunity to review, improve and, if necessary, reinvent your IT risk management and security policies and processes.