A security researcher studying ways to securely deploy and manage virtual environments says the initial costs of virtualization could make it more expensive than most companies anticipate.
Christofer Hoff, chief security architect at Unisys Corp., will give a briefing at the Black Hat conference in Las Vegas next month. The briefing, called The Four Horseman of the Virtualization Security Apocalypse, will outline several architectures that could be used as a guide to deploy and manage the technology more securely.
Virtualization technology is wreaking havoc on the management of storage, networking, clients, servers, applications and operating systems, Hoff said. Security pros and network administrators aren't controlling the virtual environments because most virtual systems haven't touched full production systems until now. Instead, they are controlled by virtual server administrators who have reduced security to a couple of clicks on a server, Hoff said.
"You should be doing the same sorts of things that you use to secure your physical environment in your virtual environment," Hoff said. "But people are not doing that for some reason, and that reason generally stems from the fact that the folks who normally have governance over that infrastructure are now outside of that process."
How to build security into a virtualized server environment: Virtualization is a transformative technology, and while virtual servers promise to increase efficiency in the enterprise, some key security implications are often going ignored.
Hoff said the costs of deploying and managing virtual environments will stay the same for firms that don't add security. But companies that attempt to manage security for all areas connected to the virtual environment will likely see a price increase. Security pros are finding that they lack visibility or troubleshooting capabilities, which they had in physical environments. Ultimately, deploying virtualization technology will likely change the makeup of most company IT architectures, Hoff said.
"We've got the ability to spin VMs up anywhere, anytime, connected to anything, and we don't necessarily have the same amount of oversight, governance and change controls," Hoff said. "In the short term, the largest problem we have with virtualization is organizational, not technical."
Part of the problem stems from the fact that most enterprises today are extremely complex, with poor visibility over current business processes and application workflow, Hoff said.
"If you ask somebody to figure out all of the assets that contribute to an application in a complex environment, nine times out of ten you'll find out that there's some box sitting underneath some DBA's desk that is so absolutely critical to the process that when somebody unplugs it to vacuum the floor you wonder why your production environment goes down," Hoff said.
In addition, the same security tools used in physical environments will work in virtual environments. But IT pros could have trouble deploying security tools and making them work effectively in virtual environments, Hoff said.
"A lot of the tools that we have today simply don't adapt well to virtualized environments," Hoff said. "In many cases the appliances that we've deployed physically … simply don't work the same way."
As a result, new tools will be developed to address security in virtual environments. Network-based appliances will be tailored into virtual appliances. Host-based security tools will be modified to take advantage of the application programmer interfaces (API) released by virtualization platform providers.