Will allowing virtual machines increase risk exposure?
A number of power users in our organization are interested in experimenting with virtualization on their client devices. We currently have relaxed client security policy guidelines for users. Would allowing client virtualization increase our risk exposure?
I assume by "virtualization
" here that you mean "virtual machines" (VMs), the software that allows one or more guest operating systems to run on either a host machine or a hypervisor. Given that understanding, the question is really whether you would allow your users to bring other, non-standard operating systems to your enterprise and install them on company computer systems. That's pretty much what's happening when these users install virtual machine environments and put operating systems on them to run various applications.
It is not necessarily a risk, other than the fact that you will have less insight into what these users are up to. That argument, however, would apply to any sort of strange beast of system or software that is brought into the enterprise.
Thus, it all comes down to how much you trust these users and what they might do. Do you need to monitor their actions carefully? The VMs, if deployed in the manner that you describe, will be completely controlled by the users, and they will therefore be invisible pockets of software in the environment. Perhaps you can strike a bargain with these users that doesn't have quite as much potential for chaos. You can, for example, choose a set of operating systems that you will support as virtual guests. Then, you can require employees to install security packages, like antivirus and personal firewalls, in those guests. That might help you strike the right balance.
More information:Prepare for virtualization security unknowns.
Michael Cobb reveals the security-related pitfalls of moving toward a virtualization environment.
This was first published in September 2007