Initial virtualization costs could outweigh benefits

By Robert Westervelt, News Editor 23 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A security researcher studying ways to securely deploy and manage virtual environments says the initial costs of virtualization could make it more expensive than most companies anticipate.

In the short term, the largest problem we have with virtualization is organizational, not technical. Christofer Hoff, chief security architect, Unisys Corp.

Christofer Hoff, chief security architect at Unisys Corp., will give a briefing at the Black Hat conference in Las Vegas next month. The briefing, called The Four Horseman of the Virtualization Security Apocalypse, will outline several architectures that could be used as a guide to deploy and manage the technology more securely.

Virtualization technology is wreaking havoc on the management of storage, networking, clients, servers, applications and operating systems, Hoff said. Security pros and network administrators aren't controlling the virtual environments because most virtual systems haven't touched full production systems until now. Instead, they are controlled by virtual server administrators who have reduced security to a couple of clicks on a server, Hoff said.

"You should be doing the same sorts of things that you use to secure your physical environment in your virtual environment," Hoff said. "But people are not doing that for some reason, and that reason generally stems from the fact that the folks who normally have governance over that infrastructure are now outside of that process."

Virtualization security: Virtual machine security plagued with operational issues: As companies move forward with virtual deployments, most successes are due to a strong operational framework. How to build security into a virtualized server environment: Virtualization is a transformative technology, and while virtual servers promise to increase efficiency in the enterprise, some key security implications are often going ignored.

Hoff said the costs of deploying and managing virtual environments will stay the same for firms that don't add security. But companies that attempt to manage security for all areas connected to the virtual environment will likely see a price increase. Security pros are finding that they lack visibility or troubleshooting capabilities, which they had in physical environments. Ultimately, deploying virtualization technology will likely change the makeup of most company IT architectures, Hoff said.

"We've got the ability to spin VMs up anywhere, anytime, connected to anything, and we don't necessarily have the same amount of oversight, governance and change controls," Hoff said. "In the short term, the largest problem we have with virtualization is organizational, not technical."

Part of the problem stems from the fact that most enterprises today are extremely complex, with poor visibility over current business processes and application workflow, Hoff said.

SearchSecurity radio:

"If you ask somebody to figure out all of the assets that contribute to an application in a complex environment, nine times out of ten you'll find out that there's some box sitting underneath some DBA's desk that is so absolutely critical to the process that when somebody unplugs it to vacuum the floor you wonder why your production environment goes down," Hoff said.

In addition, the same security tools used in physical environments will work in virtual environments. But IT pros could have trouble deploying security tools and making them work effectively in virtual environments, Hoff said.

"A lot of the tools that we have today simply don't adapt well to virtualized environments," Hoff said. "In many cases the appliances that we've deployed physically … simply don't work the same way."

As a result, new tools will be developed to address security in virtual environments. Network-based appliances will be tailored into virtual appliances. Host-based security tools will be modified to take advantage of the application programmer interfaces (API) released by virtualization platform providers.

Tags: Virtualization Security Issues and Threats,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Web security strategy: Use cloud security services Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Business Management: Security Support and Executive Communications CISOs take measured steps to reduce social media risks Schneier-Ranum face-off, part 3: Compliance and security Cost of security, IT management add up at healthcare facilities, study finds Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Aligning network security with business priorities IT business justification to limit network access RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary