SAN DIEGO – Despite the complexities and security uncertainties tied to introducing virtual machines (VMs) to the company environment, IT pros must move forward with virtualization projects and accept the risk, according to an expert.
Alessandro Perilli, a virtualization security expert, told attendees at Burton Group Catalyst Conference '08 to not blindly trust virtualization methods and to use common sense security practices when deploying virtualization technologies. Perilli is the founder and principal analyst of False Negatives, as well as the writer of the Virtualization.info blog.
"You have to accept fact that your introducing a new layer that's going to extend the investment that you've made to your systems," Perilli said.
Virtualized servers have the same kind of security challenges that the physical infrastructure provides, Perilli said. But IT security pros and administrators must retool their operational framework to handle the complexities being introduced into the environment, he said.
"The weakest part of the security defense we have in our infrastructure is related to the way we manage our operational framework," he said. "You cannot handle the capability of the virtual center to be dynamic if you don't have a strong operational framework."
Perilli said the risk of attacks on VMs is low but will likely rise as adoption increases over the next several years. When you add virtualization to the environment, you're adding software, he said, pointing out that VMware Inc.'s patch releases increased from about 15 patches in 2006, to 70 patches in 2008.
"No security vendor can demonstrate that it's completely secure," he said.
Doug Martin, a senior manager of information security at Mountain View, Calif-based Intuit Inc., said his company is moving forward with plans to roll out virtualization into full production. The maker of the popular Quicken and TurboTax software plans to cut costs by reducing a number of its physical servers, Martin said.
"We're nibbling at full production," he said. "We want to be able to deploy without limiting our ability to support future technology."
Jorge Mata, CIO of the Los Angeles Community College District, which operates several satellite campuses serving more than 140,000 students, talked about the success his team had deploying virtual servers. Currently the district has 120 virtual servers and 15 physical servers. The deployment didn't come without some headaches, he said, such as a complete failure of the district's email system.
"We went through spectacular failures," Mata said. "We were provisioning things ahead of time. In terms of storage, we were over provisioning."
Perilli said some vendors will release VM lifecycle management software to help companies create a strong authorization framework within virtualized environments. Companies can still start with the basics, he said. They should set up different VM hosts for each zone on different security levels. "With the virtualization platforms we have today, you cannot just attach the current security layer inside the virtual machine," he said.
"Virtualization is not a brand new word. Bring what you know to the table," Perilli said.