The case for server virtualization is perhaps even more compelling in this dreadful economy. Power savings, hardware reduction, flexibility and data center consolidation remain powerful incentives.
At the same time, look for 2009 to be a year for improving security in virtualized environments, as enterprises understand the special requirements and opportunities in this new world and security vendors adapt their products to integrate more tightly with virtualization platforms.
Most of the buzz is around the long-awaited release of VMsafe, VMware's APIs that will allow security vendors to plug new versions of their products into the hypervisor, giving them the opportunity to create tight hooks into the virtual environment with greater visibility and dynamic management over client virtual machines.
VMsafe will be announced as part of a major platform release sometime this year, but since it was announced VMware's partners have been developing product versions to work with the new APIs, according to Steve Herrod, VMware Inc. CTO.
Virtualization security 2009:
Listen to the interview:
Steve Herrod, VMware senior vice president of R&D and CTO about both the security challenges and the opportunities presented by the migration from physical to virtualized data centers. Download Mp3
"You'll see a lot of transformation this year around leveraging VMsafe," he said, "And moving from just protecting the virtual layer as if it were a normal machine to really exploiting the benefits of introspection and really being ready for the mobility that comes with a virtual data center."
"VMware is still the predominant leader as a virtualization platform provider," said Christofer Hoff, a chief security architect at Unisys Corp. and a frequent speaker on virtualization security. "They've done something that Citrix and Microsoft have not done: either invest directly in technology or also in terms of acquisition gain security competency to integrate some very interesting capabilities into forthcoming releases of product."
Kurt Roemer, Citrix chief security strategist, believes his company has been just as diligent in integrating security partners' products with XenServer.
"We don't have a fancy marketing term, but we've very much had a security methodology in place," he said. "We're working with key vendors to make sure they can plug into Citrix virtualization offerings."
The acquired security competency to which Unisys' Hoff alluded are VMware's deals for host intrusion prevention vendor Determina Inc. and Blue Lane Technologies Inc., whose products provide virtual patching to protect against exploitable vulnerabilities.
Blue Lane was one of a handful of specialized vendors in what some have attempted to characterize as the "VirtSec" market. These include companies like Reflex Systems Inc. (virtualization management and security), Catbird Networks Inc. (virtualization security), Marathon Technologies Corp. (fault tolerance for server virtualization), and Apani Networks, which markets a virtual machine version of its EpiForce product, which creates identity-based security zones as an alternative to firewall-based zoning.
More established security vendors generally haven't done much to adapt to virtual environments. A handful, such as Check Point Software Technologies Ltd. (firewall), Sourcefire Inc. (IPS) and Trend Micro Inc. (Web security gateway).
So, what does this all mean for the company that's thick and heavy into server virtualization or getting ready to take the plunge? Is there a VirtSec market and should you care?
"It's just a buzzword," said Forrester analyst Andrew Jaquith. "I don't think there is really a virtualization security market as such. If it were we'd have clients asking for it by name."
Jaquith said that enterprises will need to look at how existing security products will be adapted to virtual environments. Endpoint protection suites are particularly important to watch, he said, as they need to be updated constantly, even when they are offline, as is often the case with virtual machines.
"Security companies need to find a way to adapt products to work gracefully with this deployment model that is the VM," he said. Security software is no different from any other software -- SAP or Oracle, for example -- that need to adapt.
The emergence of a VirtSec market will depend on whether threats against the hypervisor itself -- largely theoretical at this point -- will become a real world issue that virtualization platform vendors can't deal with effectively on their own.
Citrix's Roemer recommends that companies use an approach based on workloads -- what you are trying to protect and how it needs to be protected.
"Make sure vendors are looking at the problem in the right way, [it's] not just an OS issue, or network security issue or application security issue, it's a workload security issue," he said. "Regardless of what the workload is or how it interacts, companies need to ensure that they have security that meets its needs and follow it."
Following it underscores the dynamic nature of virtual environments, as VMs are created and go on and offline. If you are using technologies like VMotion, VMs can move from physical host to physical host as need dictates.
Policies and the resulting operational practices that may be clear cut in the physical server world, such as separating sensitive boxes such as financial databases, from public access, said Jaquith, become a little cloudier in a virtual environment where sloppy operational practice can put a low-value VM on the same host as the financial data.
The conclusions seem to be that, at its core, security requirements don't change in a virtual environment, but must be adapted to work effectively in it. Most importantly, that means effective management and maintaining correct configuration settings and efficient change control. To the last points, for example, Tripwire Inc. and Configuresoft Inc. have been adapting to virtual and mixed infrastructures.
"The tools and technologies you see being marketed and delivered currently are less about security in the classical sense than they are about management ability, visibility, governance and change control," said Unisys' Hoff. "The people who are managing are not traditional security people; the ability to manage and secure these environments has become very messy."
Virtualization is also the perfect opportunity to review, improve and, if necessary, reinvent your IT risk management and security policies and processes.
"One opportunity is to leverage the tools that are there for the deployment and provisioning VMs to put an operational process around them," Citrix's Roemer said. "As you create the workflow for behaving in the virtual world, it forces you to answer questions that you should have been asking in the physical world."