IT professionals have heard plenty about the security benefits of desktop- and server-based virtualization, from...
more efficient patching procedures to the centralized storage of data that would otherwise be stored on endpoint devices. But IT administrators who have tested it in their environments have also discovered potential security drawbacks, particularly when it comes to compatibility with other security systems.
Compatibility has been the main challenge for John Petrie, chief information security officer for a San Antonio-based financial services firm with 5,500 employees and 15 locations. After vigorously testing technology from several different vendors, he found that the full deployment of virtualization would force him to rework tried and true security controls -- a task that would cause chaos for the IT department and the larger workforce.
"There are centralized security controls we have in place that would have to be done differently with virtualization," he said. "That would force us to change our whole centralized vision of security, and it's something that gives us pause."
For others, the drawback is based on fear of threats that aren't around today but could become serious problems in the future. Natalie Lambert, a security analyst with Cambridge, Mass.-based Forrester Research, noted the potential for future exploits targeting the hypervisor, a virtual platform that allows multiple operating systems to share a single hardware processor.
"One big concern is about what could happen if a flaw were found in a hypervisor, which would give attackers access to thousands of desktops sitting on a virtual server," Lambert said. "That's not a reality today, but it's certainly a fear for the future."
Despite the drawbacks, most IT pros who have tested virtualization technology say the benefits are real. The key is to have a thorough vetting of technology from a range of vendors.
Petrie is currently looking to deploy virtual servers in the company call center and on blade systems, but an across-the-board deployment is out of the question for the short term because of the compatibility problems he has discovered. His game plan involves constant testing and smaller, incremental deployments.
"We need additional computing capabilities at a lower cost, so we are virtualizing several call center applications and consumer data in the test bed," he said. "Based on some successful testing we plan to move toward some deployments soon, but I don't see us going full virtualization enterprise wide because there are too many interoperability issues."
The biggest limitations for him right now involve the company's IBM-based mainframe technology and reliance on payroll and accounting applications written in COBOL (Common Business Oriented Language). Petrie said one can't virtualize a mainframe, and the COBOL datacom language doesn't lend itself to virtualization, based on his own testing.
Tony Beaird, network infrastructure administrator at Lombard, Ill.-based Cinch Connectors Inc., an $80 million company that supplies connectors to such industries as aerospace and transportation manufacturing, has run into his own incompatibility issues. He is currently implementing a new enterprise resource planning (ERP) system to integrate company data and processes into a unified system and, based on his testing experiences, has chosen to deploy it and all the necessary accompanying systems via VMware's ESX server.
"I think the biggest challenge we faced was choosing the appropriate SAN backend," he said. "Because we already had several SANs installed, we ran into an issue with our installed SAN being incompatible with ESX 3. That vendor has since corrected the issue, but it caused us to look at other SAN vendors for our solution."
The security benefits of virtualization
Despite the compatibility challenges and fears of future hypervisor flaws, those interviewed still see tremendous potential for virtualization technology to improve security and manageability
Beaird, for example, has been able to improve his patch testing and deployment process through virtual systems. "A huge benefit for us has been the ability to test patches in a duplicate environment without the need for a separate dedicated hardware environment, which, for companies my size, isn't always feasible," he said, crediting VMware's VMotion technology for much of the improvements.
According to the VMware, VMotion leverages the complete virtualization of servers, storage and networking to move an entire running virtual machine instantaneously from one server to another. If ESX requires a patch, Beaird said he can simply VMotion everything from each server and perform the updates.
Lambert noted that desktop virtualization is increasingly popular among enterprises that see the current PC environment as too expensive and want to find a way to save costs. But in her view the benefits of virtualization are more about security and manageability.
"With this technology you start to centralize data instead of having it living on all your endpoint devices," she said. "Think about all the data that tends to be stored on laptops. Not having data on the laptops is a big security benefit. Hosted desktop virtualization means a lost laptop is no big deal because the data isn't on the device."
Finding the right vendor
Enterprises looking to adopt virtualization technology are most familiar with VMware, considered the leading vendor in the space by many industry experts. Beaird is certainly happy with the VMware technology he has purchased, but looked at other vendors initially, including Microsoft, which has made its own push into the market with such products as Microsoft Virtual PC 2007 and Virtual Server.
"One risk we saw in going with Microsoft's solution was the requirement for patching the underlying Windows host system that runs Virtual Server," Beaird said. "Because Microsoft does not have the ability to VMotion their virtual machines, this, unlike VMware, would require us to bring down the host system completely to perform updating."
His company decided to go with VMware mostly due to the risk of having to patch the Windows Server host. Through VMware, his company has installed six ESX3 servers that share storage on an EMC SAN.
In addition to VMware and Microsoft, Lambert said vendors to watch for include Citrix and Symantec's recently-acquired Altiris technology. Citrix offers a range of virtualization products, and Symantec has its Altiris Software Virtualization Solution.
Lambert suggested IT shops looking to invest in virtualization emphasize the security and manageability benefits instead of the potential cost savings when making a pitch to upper management.
"Implementing virtualization is expensive in the short term, and companies should understand that the cost savings associated with the technology will actually take a good three years to materialize," she said.