There's nothing new about efforts to consolidate federal government data centers. In October 1995, under the Clinton administration, the Office of Management and Budget directed agencies to significantly consolidate their data centers by concentrating data processing into fewer physical facilities and combining workloads on to fewer computers. The goal was to improve efficiency and reduce costs. At the time, the number of data centers across the government was about 200. The result? Today there are about 1,100 data centers.
In a virtualized world, you need some logical security mechanisms that provide the same physical security control that you used to have.
computer scientist and co-author of the NIST virtualization guideNIST
The Obama administration has renewed and intensified Federal data center consolidation efforts. The Clinton era program to improve efficiency and reduce costs never met its goals – the number of data centers ballooned from 200 to 1,100. The new Federal Data Center Consolidation Initiative (FDCCI) mandates a new emphasis on slashing energy reduction. A targeted increase of 30% to 40% in server virtualization is a big part of that, and that has cybersecurity experts sounding alarm bells.
While server virtualization isn't inherently insecure, virtualized workloads are often deployed insecurely, according to Neil MacDonald, vice president and analyst at Gartner Research and a member of Gartner's information security and privacy research team, which focuses on operating system and application-level security strategies.
A recent Gartner study projected that 60% of virtualized servers deployed in the next year and a half will be less secure than the physical servers they replace. The combination of more virtualized workloads and workloads becoming more mobile creates "a complex and dynamic environment" that will be more difficult to secure, MacDonald said.
Security researchers at the National Institute of Standards and Technology agree that virtualization has some negative security implications. "Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls," according to NIST's recently released draft Guide to Security for Full Virtualization Technologies (Publication 800-125) (.pdf).
NIST specialists say that hackers can compromise virtualize servers through vulnerabilities in the application running on the virtual server or guest operating systems, such as attacking the host operating system's network services from another host on the same subnet. NIST's concern is that hackers can potentially compromise cybersecurity for all virtual servers on a single physical server by attacking a weakness on one virtual server.
Therefore, it's critical to keep in mind that all the security considerations that apply to OS's running on real systems also apply to guest OS's in a virtualized environment, such as patching and creating secure configurations.
"In a virtualized world, you need some logical security mechanisms that provide the same physical security control that you used to have," said Murugiah Souppaya, a NIST computer scientist and a co-author of the agency's virtualization guide. "So you have the notion of running a virtualized firewall instead of a physical firewall. It's not like you don't have to implement a firewall when you virtualize your environment. So you have to translate your physical security controls into their corresponding mechanisms in the virtualized world."
Next: Data center consolidation and virtualization: specific security risks and solutions
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in September 2010