There's no doubt you've heard from those who question how traditional security controls will work in virtual environments....
Despite the uncertainties inherent in any new technology, there are a number of ways virtual systems actually improve security and make it more difficult for an attacker to steal sensitive information.
Virtualization gives IT the opportunity to challenge traditional security concepts and secure the technical business infrastructure more cost effectively. These security benefits can be realized from the greater control IT has over configuration of application environments, easier processes for vulnerability management, and rapid delivery of pristine application images to all points of the organization.
Virtual environments will still come under attack, but those attacks will not easily persist in an application environment and will have more difficulty permeating the organization. In essence, the attack surfaces of business applications are substantially reduced to where the virtual machines -- operating systems, application executables and configuration profiles -- are managed.
The first step to challenging traditional security approaches is to realize that all computerized systems are always at risk of a malicious attack. There is no security technology in place that will make any technical infrastructure totally secure. Virtualized systems will be no more immune than non-virtualized systems to attacks that masquerade as authorized software to steal data, or modify configurations to disrupt the business. Advances by virtualization vendors into securing the hypervisor, performing attestation integrity checks of VMs, and detecting new classes of attacks is an important ongoing effort to make the infrastructure as safe as possible. The opportunity for IT is to leverage virtualization to change the way the business delivers applications; to change the way the business is secured.
Here are three examples of how selected IT organizations have taken advantage of virtualization to offer a more secure business environment:
- A major financial organization is concerned with protecting consumer data that may be accessed from remote laptops. The solution implemented was to virtualize the sensitive applications in the datacenter. Since the confidential data never leaves the secure datacenter in this virtual solution, the company is less worried about data loss. Rather than rigorously deploying endpoint security software, the organization used virtualization to avoid the problem of consumer data accumulating on laptops.
- A regional energy utility needs to ensure constant uptime of its control systems. The utility has taken advantage of its virtual architecture to regularly rotate its control systems between data centers, refreshing the critical VMs every day. One security benefit of this simple approach is that a successful attack against a VM will not persist longer than the VM refresh cycle -- the attack expires when the VM expires. The other benefit is that the utility has effectively made disaster recovery a part of its standard operating procedure. The utility has used virtualization to mitigate the effect of attacks against its control systems.
- A national service organization has used virtualization to better manage the vulnerabilities of remote applications. The organization has realized substantial savings in management effort by applying software upgrades, patches, configuration control and security scans to VMs centralized in the data center before they are delivered to remote sites. IT has enhanced control over application environments and can rapidly deliver new versions throughout the organization.
The challenge is for IT to look at how virtualized architectures can help avoid common security issues while enhancing application availability. While security and virtualization vendors continue to make products more resilient to attacks, IT can use virtualization to dramatically alter the attack surfaces to benefit the business.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.