Here you are, adding yet another server to your virtualized environment that went from beta to production in the data center equivalent of zero to 60 in 4.5 seconds. That speed means the security policies and processes you routinely applied to physical servers probably went out the window over the past few years. In our latest survey on virtualization security, one IT pro told us that, for questions like "Do you harden your hypervisors?" we should provide the option of answering "No, and no future plans, but we know we should have plans."
We've tracked this area for some years in our practice and recently revisited the InformationWeek Analytics Virtualization Security Survey we first deployed in May 2008 to see how attitudes and practices have evolved. One thing we do know: That commenter is dead on. Yes, virtualization saves money and can increase reliability. But complexity is the enemy of security, and today's virtualized infrastructures are anything but simple, between virtual I/O, hardware appliances custom-built for virtual environments, and virtual software being used for what once was done in hardware. And now, storage, desktop, file, and network virtualization are on the table, too.
If your security policies haven't kept up, it's time to tap the brakes.
In some areas, we see surprisingly little movement from two years ago. For example, we asked how virtual machines are viewed with regard to security risk; 76% of the 423 business technology professionals responding in 2008 said their companies considered VMs as safe or safer compared with physical servers. In our new poll, 75% of 684 respondents answer the same. In 2008, 12% had no VM security provisions in place. Zero. In this survey, it's down a mere 2 points, to 10%. But there are some swings. Most notably, the number of companies with VM-specific security tools in production nearly doubled. Apparently, sellers of virtualization security appliances (VSAs) have gotten their message across.
So, do you need to take some of the savings achieved by server virtualization and pump that cash into VSAs?
No. You need to get back to basics.
Virtualization security is useless if you think only in terms of securing VMs. Virtual servers should be no different from their physical counterparts. They run the same operating systems and require the same security technologies and processes. But there's one very big difference. Physical servers provided for a natural separation of duties within the IT organization; as a result, most enterprises have a distinct network team and systems team. Separation of duties is good security practice. But that's largely gone out the window when it comes to managing virtual environments. Nearly half (47%) of those involved in provisioning and ongoing management of the virtual switching infrastructure are members of the systems team, not the networking team.
Download the InformationWeek March Supplement On Virtualization Security