Operational risks could mire virtualization deployment, panel says

Article

Operational risks could mire virtualization deployment, panel says

Robert Westervelt, News Editor
SAN FRANCISCO – Cloud computing experts at the 2009 RSA Conference said that companies virtualizing their infrastructure could run into a number of operational issues that can result in additional risk and less visibility in the environment.

The latest virtualization platforms are beginning to make it more complex to define who has overall control of virtual machines, said network security expert and cloud computing blogger Chris Hoff, who serves as technical director of the Cloud Security Alliance, a non-profit organization launched this week to promote virtualization best practices. He said the next platform releases will also make the technology even more complicated.

Hoff was one of several participants Wednesday in a virtualization security best practices panel at RSA. Vendors are adding capabilities, such as the integration of third party virtual switching. This week, virtualization software leader VMware Inc. released vSphere, a product that brings data centers into private clouds. The product now comes equipped with a bevy of new features designed for rapid deployments of multiple virtual machines.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

We're going to have issues trying to figure out where our packets are, where they're going and where they've been.
Chris Hoff
technical directorCloud Security Alliance
Panelists said the future will get murkier when vendors add switching capabilities into the CPU, including interaction with Cisco Systems Inc.'s Nexus switches. Soon, Hoff Said, blade server environments will allow virtual machines to bypass the hypervisors altogether.

"I'd like to figure out where the network is in that picture," Hoff said. "We think we have problems today with tapped span ports. What happens with CPU and network switching? We're going to have issues trying to figure out where our packets are, where they're going and where they've been."

Dave Shackleford, a virtualization security expert and chief security officer of Colorado-based software provider Configuresoft Inc., said the visibility issue is one of the biggest problems that need to be addressed. The same controls implemented to harden a physical operating system should be deployed for virtual machines.

"It's really damn hard to secure what you can't see," he added.

Problems are also arising when companies virtualize machines without understanding the network architecture and topology, said panelist Rob Randell, a senior security specialist at VMware Inc.

In regard to virtualization, Randell said, "There's not a single technology out there that you can say, 'Yup, I can plop it in, and I'm secure.'".

See all our coverage of RSA Conference 2009:

SearchSecurity.com and Information Security magazine editors are in San Francisco to bring you the biggest RSA Conference 2009 news stories, interviews, podcasts, videos and more.
Tools are available to help solve the most common issues, and organizations are learning that anything that can be done for physical servers can be done on virtual machines, Randell said. For example, a company can put a virtual machine in isolated mode for patching and then put it back into production.

VMware also released its VMsafe APIs this week, enabling third-party security vendors to tap into the VMware hypervisor to provide agentless protection of virtual machines. About 50 vendors have applied to gain access to the VMware APIs, Randell said, and the first security products should be released this summer.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
Still, some experts argue that additional capabilities being provided by VMware, such as VMotion software products that enable companies to move live, running virtual machines from one host to another, complicate the process of securing virtual environments. But Hoff said that technical challenges, like monitoring workload mobility issues, are overblown. Very few organizations have a need to use the mobility features, he said.

"When we talk about virtualization, the networking elements and constructs on how to provision networks are constraining mobility," he said.