Misconfigurations and unpatched systems are the security manager's bane, and open invitations to exploitation. It's tough enough enforcing policy across traditional networks in large enterprises, with new initiatives spawning new servers and new applications, sometimes cocooned in business silos. Virtual environments don't make things any easier.
The rapid spread of virtualization, with its enormous cost benefits, can complicate this already formidable task, and experts say organizations need to examine the security implications.
"It's something that enterprises that have rolled out large (VMware) ESX deployments are starting to think about," said Phil Hochmuth, a senior analyst at Boston-based Yankee Group. "Initially, it was kind of a gold rush mentality, in that people were realizing all the cost savings. They didn't give security as much thought as if they had sat down and planned out an entire roadmap for how they were going to roll out and secure a virtual environment."
For its part, VMware is well aware of the need to address security in a virtualized world. Its VMSafe technology, announced in February, provides APIs for security vendors to build hooks into the virtual environment at the hypervisor level.
And, VMware has published a set of best practice configurations for hardening ESX Server, but implementing them in the real world is another matter.
"Practice has shown that customers have had a hard time going through 50 or a hundred of these, reading through and making sure they are properly enforced on each of the ESX boxes they've deployed," said Nand Mulchandani, VMware senior director, product management and marketing.
VMware and partner Tripwire have a tool that they say could make the job easier. Called Tripwire ConfigCheck, the free tool assesses ESX Servers against VMware's configuration rules. ConfigCheck is available for download on Tripwire's site, with a link on VMware's security site as well. Users can scan individual ESX Servers, presenting remediation instructions for non-compliant systems.
"It will be eye-opening when they run ConfigCheck against their systems and gauge that relative to best practices," said Mulchandani. "It will get them thinking about configuration and patching in key areas for security."
For its part, Tripwire, naturally, hopes that ConfigCheck will whet companies' appetites for its flagship product, Tripwire Enterprise, which performs configuration assessments and change auditing on both physical and virtual systems, including the client virtual machines running on ESX Servers.
Yankee's Hochmuth agrees automated tools like this are valuable as organizations address security in virtual environments, said but the main risk factor is not in the hypervisor.
"The biggest risk is just disorganization, the confusion you can get when you have this VM sprawl environment, with machines going online and offline a lot, not knowing what the patch level is or the security posture is of virtual machines," he said. "No one's hair is on fire because of exploits to the hypervisor."
Mulchandani, however, said too much is made of the confusion factor. He thinks we're selling enterprises short by saying that the rush to virtualization is undermining corporate security.
"Data centers are very tightly locked down, and virtual environments are no less tightly locked down than physical ones," he said. "It's really about policies on the hosts and machines themselves; the dynamism of virtualization as a security risk has been overblown."