The double-edged sword of virtualisation security

Lab A quick search will provide ample warnings of the risks of adding virtualisation technology to the business IT mix without due care and consideration to security.

Whether such risks are inherent in the use of virtualisation technology itself, or arise when standard security practices are not extended to include virtual environments doesn’t really matter, because one should not exclude the other anyway.

So there is plenty out there on the risks, which we should ignore at our peril. But what of the benefits? The double-edged sword can apply in a positive sense to the additional layer introduced by the hypervisor: while what security people like to call the attack surface is increased in principle, correctly configured, it is one more thing the bad guys have to get through before they can get to the crunchy bit of data in the middle.

Meanwhile, if attack surface is your thing, the reduced footprint afforded by consolidating multiple virtual machines onto fewer servers does indeed reduce complexity and make things easier to secure in a physical sense. Sure, it might be putting all your eggs in one basket, but at least the basket can be locked away.

Much of security (if not all of security) is about risk management, so it is important we consider benefits beyond the, "is it secure/insecure" debate. Here’s some examples of where virtualisation can help reduce risk levels inherent in IT delivery:

• Operationally, a useful benefit of virtualisation is the improvement in patching capabilities afforded by a virtualised environment. Centralised patching of VMs can, in principle, be executed with less time and effort than in the physical world. It’s not quite *that* simple of course, as you will need to ensure that all VMs are online / active to be patched.

• Moving into the desktop realm – a source of much frustration for IT departments – the ability to centrally manage provisioning and software updates has a role to play in security, for example as a corrupt desktop image can easily be switched out and replaced with a clean one from the master image.

• A degree of protection is also afforded to portable devices. One of the options for protecting company data on ‘work and home’ kit is to separate the two using virtualisation technology. Taking things a step further and encrypting the ‘workVM’ means not only is there a degree of separation, but privacy can also be assured, particularly if the device is lost or damaged. The future will likely see virtual machine encryption playing more of a role, whether within the data centre or on mobile devices. Regulation may simply make this a prerequisite in certain industries.

There is nothing to say that a virtualised environment will be inherently more secure than a non-virtualised environment: from your feedback we’re picking up as many challenges as advantages. It stands to reason however that the benefits touched on here will be gained through a combination of good management, planning and design, and organisations won’t magically become good at this simply because virtualisation technology happens to be in the mix.

As we roll down the virtual road, it will be interesting in the extreme to see whether perceptions and experiences polarize further – from those who have harnessed virtualisation and managed the inherent risks, or those who become overcome by complexity. If you’re seeing clear roads ahead or are already hitting the potholes, we’d appreciate hearing about your experiences. ®