SAN FRANCISCO – Cloud computing experts at the 2009 RSA Conference said that companies virtualizing their infrastructure...
could run into a number of operational issues that can result in additional risk and less visibility in the environment.
The latest virtualization platforms are beginning to make it more complex to define who has overall control of virtual machines, said network security expert and cloud computing blogger Chris Hoff, who serves as technical director of the Cloud Security Alliance, a non-profit organization launched this week to promote virtualization best practices. He said the next platform releases will also make the technology even more complicated.
Hoff was one of several participants Wednesday in a virtualization security best practices panel at RSA. Vendors are adding capabilities, such as the integration of third party virtual switching. This week, virtualization software leader VMware Inc. released vSphere, a product that brings data centers into private clouds. The product now comes equipped with a bevy of new features designed for rapid deployments of multiple virtual machines.
"I'd like to figure out where the network is in that picture," Hoff said. "We think we have problems today with tapped span ports. What happens with CPU and network switching? We're going to have issues trying to figure out where our packets are, where they're going and where they've been."
Dave Shackleford, a virtualization security expert and chief security officer of Colorado-based software provider Configuresoft Inc., said the visibility issue is one of the biggest problems that need to be addressed. The same controls implemented to harden a physical operating system should be deployed for virtual machines.
"It's really damn hard to secure what you can't see," he added.
Problems are also arising when companies virtualize machines without understanding the network architecture and topology, said panelist Rob Randell, a senior security specialist at VMware Inc.
In regard to virtualization, Randell said, "There's not a single technology out there that you can say, 'Yup, I can plop it in, and I'm secure.'".
VMware also released its VMsafe APIs this week, enabling third-party security vendors to tap into the VMware hypervisor to provide agentless protection of virtual machines. About 50 vendors have applied to gain access to the VMware APIs, Randell said, and the first security products should be released this summer.
"When we talk about virtualization, the networking elements and constructs on how to provision networks are constraining mobility," he said.