Earlier today my colleague Rob Westervelt wrote about VMware’s plans to unveil what it calls VMsafe — a partnership program with Symantec, McAfee, the Internet Security Systems division of IBM, EMC’s RSA security division, and Check Point Software Technologies. The security risks and benefits associated with virtualization is a subject very much on our minds these days.
In recent weeks I’ve been interviewing many security experts about virtualization for an article I’m putting together, and along the way I’ve come across quite a few blogs that focus on the subject. Here are just a few of them:
Petri IT Knowledgebase: The people behind this site cover much more than just virtualization, but when they do turn their attention to the subject they do it well. Here’s an excerpt from the most recent entry on virtualization, from expert David Davis: “A lot of people think that if you virtualize, let’s say, a Windows 2003 Server, that virtualized system should be secure because it is completely separate from the VMware ESX Server operating system and it could be, potentially “protected” by VMware ESX Server. This is not true and there are a lot of things you need to know about virtualization security.” He goes on to offer plenty of helpful advice on how to properly secure virtualized servers.
Virtualization for Everyone: This site, among other things, keeps track of the latest virtualization news, with commentary throughout. Its latest entry, in fact, is on VMsafe.
Rational Survivability: This is the blog of security specialist Christofer Hoff. It covers all aspects of security, but the latest entry is about what looks like a pretty useful research paper from Andreas Antonopoulous from Nemertes called “A risk analysis of large-scaled and dynamic virtual server environments.” By the way, Chris, I’m interested in talking to you about this if you have time. 😉
Smart Security: This is the blog of Dharmesh Mehta, a security specialist based in India. His latest entry asks the question: Is virtualization secure? Here’s a bit of what he has to say about that: “Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they’re (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine.”
Do a Google blog search on the subject and you’ll find many more sites to sift through.
Now, as I said earlier, I’ve been doing a lot of interviews with security experts about this, but to date I’ve been unlucky in my attempts to connect with an IT administrator or two who might be willing to talk about their own virtualization security experiences.
And so this is my plea for someone out there to come forward. This article will explore the pain points and successes of virtualization and it simply won’t be complete without the user experience.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.