Virtualisation offers a lot of advantages but security must already be built in

• Article 25 of 33
• SC Magazine, February 2011
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

If there is one thing that seems certain, it is that the amount of work involved with IT and IT security is going to increase. With more servers, desktops and devices come more patching, configuration, malware, sources of data leakage, possible points of intrusion, not to mention the task of managing all of that. Wouldn't it be good if - instead of having to do all of that across thousands of devices - it could be done just once?

That is just one of the promises of server and desktop virtualisation technologies such as VMware's vSphere and View, Oracle's VM VirtualBox and Secure Virtual Desktop, Microsoft's Terminal Services or Citrix's XenServer and XenDesktop. Instead of an OS and associated apps running individually on separate devices, virtualisation lets an organisation run several 'virtual' versions of that software on the same machine, each in its own environment or host. Each of these hosts can be based on a single 'image' of a standard OS with the correct security policies added and up-to-date software installed. If the organisation needs another server, it can create a new host from the master image; if a server needs to be repaired, all its hosts can be moved to another server. With desktop virtualisation, employees can access their desktop and apps anywhere, on any machine or compatible device that can run a virtual machine 'player', yet data never leaves the enterprise.

Darren Argyle, security services and compliance management leader at IBM, argues that server virtualisation enables businesses to compete efficiently. "From the IT side, costs per unit of work will fall or the cost of deploying an equivalent physical set of infrastructure will be higher due to reduced complexity, enhanced resource use, recaptured floor space and improved energy efficiency."

Virtualised desktops also have many advantages. "A lot of organisations are moving to virtualised desktops," says David Ting, founder and CTO of Imprivata. "Desktop virtualisation has an incredibly good security profile. Not only can you manage the desktop centrally, you can start to tailor the definition for each template for each desktop assigned to a role - you don't need to have any local data stored at the endpoint."

Matthew Raymond, IT director at Trailfinders, agrees that desktop virtualisation has many advantages. About a year ago, he started looking at it in earnest because of Windows 7. With 28 sites in the UK and two in Ireland, all full of PCs running Windows XP, the idea of a hardware refresh and a new version of Windows had already been enough to prevent a Windows Vista upgrade, but he found the simplicity of VMware's desktop virtualisation software "hugely appealing". He started a proof-of-concept project, using VMware ESX, VMware View and RES Software's Workspace Manager to manage users' virtual desktop profiles. "Relatively quickly, it worked. It hung together." Then when a new office was set to open in Exeter last August, Raymond decided to roll out the proof of concept to the new office, albeit with "some level of nervousness". Such a success was this first site that he has now replaced the PCs at an established office in Norwich with Wyse thin terminals and virtual desktops. He and his team managed to do it overnight. "It is all going brilliantly."

Potentially, however, that flexibility and centralisation can lead to fresh problems, particularly in security. Consolidating all your servers down to just a few machines results in single points of failure. It could also make it easier for a malicious employee to gain access to far more data. Incorrect configuration can result in poor performance or security flaws. Add to this the increased complexity, additional expertise required and licensing problems and it is easy to see why most firms haven't switched more than a few systems over to a virtualised infrastructure.

Nevertheless, it is possible to reduce and eliminate some or all of these problems with the right techniques and technologies. Initially, before embarking on virtualisation or extending an existing virtualisation strategy, the CIO or CISO should look at the architecture of the planned system and try to reduce complexity. "You need to architect-in security rather than bolt it on afterwards," says Garry Sidaway, director of security strategy at Integralis. In particular, CxOs should look at where data will flow in the virtualised system and where it will end up. "You need to put in a control process around moving and building VMs," Sidaway adds.

Paul Simmonds, founder of the Jericho Forum, has a rule of thumb: "You should be able to draw it on a piece of paper. The instant someone comes along and tries to draw a 2x2 matrix or a 3D grid is when you know it's too complicated."

In general, data with the same levels of security can be allowed to mix in different virtual machines on the same physical server, says Peter Wood, member of the ISACA UK Security Advisory Group and CEO of First Base Technologies. However, data of mixed importance should be kept separated. This is particularly true for systems covered under PCI DSS regulations, which will require more stringent protection for any physical server containing customer data, irrespective of whether the data is separated from other data in a virtual machine.

Nick Seaver of Deloitte's security team says a good idea is to limit functionality of each virtual machine image. By ensuring each machine only does what is necessary, it is possible "to reduce the attack surface susceptible to abuse", he says.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages