Sixty percent of virtualized servers will be less secure than the physical servers they replace through 2012. So says Neil MacDonald, vice president and fellow at Gartner. Virtual machines by themselves aren't inherently less secure. The problem is how VMs are deployed. MacDonald says the processes and tools used in the deployment of physical servers aren't necessarily being applied to their virtual counterparts. "In no way would I say, 'Don't virtualize.' The cost savings are undeniable. But we need to have an intelligent conversation between the operations side and the security side about what is different between the virtualized and physical environment," says MacDonald. VM insecurity is of growing concern because of the large number of virtual machines predicted to come online. By the end of 2009, only 18 percent of enterprise data center workloads that could potentially be virtualized had been so, according to Gartner. The analyst firm expects the number to grow to more than 50 percent by the end of 2012.
MacDonald outlines three issues that lead to insecure VMs. The first is that IT organizations don't treat the virtualization layer the same way they would an OS environment, where someone is responsible for correct configuration and management. "That means patching in a timely manner, understanding when critical patches are released, establishing configuration guidelines, and making sure they're adhered to over time," he says. "It's basic, but you'd be surprised - people don't think of this layer as an OS and don't extend their processes." This might require investment in tools that work correctly with this layer, he adds.
Second is the loss of visibility on the internal virtual-machine-to-virtual-machine traffic that goes on inside a server - the sort of traffic that administrators would see if it were on a network between servers. "We do not have visibility as it stands - we're blind." Moreover, the legacy management vendors have been slow in rolling out visibility tools or upgrading their toolsets to support the virtual environment, he says.
Third, the staffers who would normally manage a switch and who are familiar with the processes and issues can be cut out of the process when the switch becomes virtual. "Who manages that virtual switch?" he asks. "In many cases, it's the VMware administrator. My argument is, it's a switch, whether it's virtual or physical. The group that's responsible for switches should be responsible," because otherwise there's a loss of the separation of duties that helps provide checks and balances.
The good news is that the market recognizes these issues and is responding. Upstart management and security vendors have launched a raft of products to help IT groups get a handle on VMs, and traditional vendors are adding support for virtual environments. Network Computing's most recent digital issue discusses more than 20 products that IT can bring online immediately to manage VM deployment, configuration, monitoring and security. As operations groups incorporate the virtual layer into their standard processes, MacDonald says that the number of poorly secured virtual servers should drop from 60 to 30 percent by 2015. It's a good step, but that 30 percent figure is still high. "We're seeing progress, but we're not where we should be," he says.