Virtualisation seems like the solution to managing IT systems, but what are its faults?

• Article 18 of 33
• SC Magazine, October 2009
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

“The type of person whom you make responsible is critical,” says Chris Mayers, chief security strategist EMEA for Citrix, desktop virtualisation market leader, which also has a server virtualisation product called XenServer. “Desktop support isn't typically accustomed to supporting servers, but the people who support servers aren't accustomed to desktop support. You have to bring the different groups together and cross-train. Server people can learn about giving desktop users a good experience, desktop support people can learn about uptime.”

Similar problems can occur, says Dearing, when dealing with virtualised networking, where firewall teams may find themselves having to negotiate with other teams in a larger organisation, once firewalls and other infrastructure are subsumed into the virtual network. “It depends on the quality of people, but it can be difficult. A large organisation can be very siloed. The biggest issue is how to get over the structure and policy management of enterprise. It's like what happened with IP telephony.” Separation of duties becomes more important: “In a virtualised environment, where everything is more consolidated, there's an erosion of separation of duty,” he says.

Desktop virtualisation presents similar security risks as VPN access to a corporate network, although with no data being transferred there are fewer risks posed by client machines being stolen – if no passwords have been compromised. However, as Imprivata CTO David Ting points out, password compromise becomes a greater problem, since it allows attackers access to a user's desktop, not just to data that might be stored on a server. “The session roams with the user, so someone can break in, making user sessions vulnerable to password sniffing and shoulder surfing.”

Regulation and governance also have important bearings on virtualisation. PCI DSS requirements for separation of functions are more difficult to prove in a virtualised system, but Citrix's Mayers says the difficulties aren't great and further guidelines will be emerging from the PCI DSS virtualisation committee.

For virtualised storage, separation of data can be a particular issue. “You need to prove to auditors and regulators that there's segmentation of storage, even though it's virtualised – regulations and compliance requirements don't go away, but now you have to rely on logs and IT management,” says Andrew Maloney, marketing director, EMEA, at RSA.

Defending virtualised environments requires technology as well as process. Most security products work normally within virtualised environments. One exception to this rule of tool portability is authentication technology. For companies trying to use more than password-based authentication for accessing virtualised desktops, it's often impossible to add in a second factor for authentication using hardware, because of the thin nature of the client software. “It's much harder with connection brokers to support additional hardware,” says Ting.

While security tools may well work in virtualised environments, they can also throw up unexpected side effects. As anyone who's ever tried working while an anti-virus program thrashes a hard-drive, security products can affect performance. In a virtualised desktop environment, the thought of hundreds of desktops being scanned at the same time will give nightmares to any server admin.

As a result, some hypervisor vendors have developed APIs that allow security software on the host operating system to scan into guest environments, even if they're not currently running – VMware, for example, has an API called VMsafe.

Trend Micro's Core Protection product for VMware, for example, is based on Trend's anti-malware, but integrates with VMware's management console, vCenter. “It's specifically designed to scan each virtual instance, but to have an agent with a small footprint agent in each VM,” says Trend Micro's senior security expert, Rik Ferguson. “Outside, there's a scanning VM interface with VMsafe that examines the active and dormant machines with the latest malware definitions.” Demand on resources is lower, the individual VMs need fewer software updates, and only one set of malware definitions needs to be updated: that used by the external scanner. The integration with vCenter allows the security of individual virtual machines to be monitored more easily.

Virtualisation may appear to be a technological issue, and one that can save on management costs and time. With proper processes in place, this can certainly be true, even if security professionals will still have much of their old work to do.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages