Deconstructing the "S" word in virtualisation

So you've done your homework on virtualisation and have mapped out your strategy for the next couple of years - what about security?

According to the Gartner Group, whilst virtualisation offers large organisations the opportunity to reduce costs and increase their overall IT agility, if the implementation process is carried out without implementing IT security best practices, it can actually increase the costs and reduce the organisation's IT efficiencies.

In a presentation at a Gartner symposium on virtualising security in San Francisco back in April 2007, Neil MacDonald, a Gartner vice president and fellow, told his audience - which included this writer - that, regardless of the specific architecture involved, the process of virtualisation uses a privileged layer of software.

If this privileged layer is compromised, he told delegates, it places all consolidated workloads at risk. "Virtualisation, as with any emerging technology, will be the target of new security threats," he said.

"Many organisations mistakenly assume that their approach for securing virtual machines will be the same as securing any operating systems and, as a result, plan to apply their existing configuration guidelines, standards and tools," he added.

"Whilst this is a start, simply applying the technologies and best practices for securing physical servers won't provide sufficient protections for virtual machines," he went on to say.

So what are the key points in the virtual environment that need protection? It's tempting to say all of them but, just like physical IT systems, there are weaker points, which merit you close attention when it comes security.

Virtualisation software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.

The loss of separation of duties for administrative tasks, meanwhile, is another area that needs be addressed, as if ignore, it can lead to a breakdown of defences.

Other areas that merit special security attention include patching, signature updates, and protection from tampering for offline virtual machine and virtual machine appliance images.

It's important here to understand the need for patching and secure confirmation management of virtual machine appliances where the underlying operating system and configuration are not accessible.

Mobile virtual machines also require security policies to be applied, and for physical security settings to migrate with them. So what are the security solutions that are available?

Perhaps surprisingly, once you start to move outside the more obvious network edge-based solutions such as a Unified Threat Management (UTM) appliances, the number of security solutions developed specifically for virtualised environments is still quite thin on the ground.

IBM's strategy in this regard is to offer clients a tailored mix of IBM-developed and selected third-party virtual security technology that best fits each client

IBM's Internet Security Systems (ISS) division - which IBM acquired back in 2006 - has a healthy portfolio of offerings that reduces the cost and complexity of security and compliance.

They do this, the company claims, by delivering products that are designed to work together as an extensible platform, managed through a single management console.

Virtualised security offerings available from IBM-ISS include the Proventia family of products.

These number the Network Virtual Intrusion Prevention System (VIPS) appliance; the Network Security Controller (NSC); the Network Enterprise Scanner; and the SiteProtector 7.0 plus client security readiness tool.

The Network VIPS appliance is a virtual appliance that is billed as allowing clients to use their existing hardware by deploying virtual appliances on under-utilised hardware resources.

The NSC, meanwhile, is a security management appliance that enables protection for high-speed networks and helps clients preserve their existing Proventia physical systems.

The Network Enterprise Scanner safeguards enterprises from malicious attacks by identifying and prioritising risks associated with network vulnerabilities.

Last, but not least, SiteProtector 7.0 allows clients to easily manage and measure their enterprise security infrastructure through a centralised console.

IBM-ISS also offers a range of virtualised security solutions, including UTM appliances, as well as desktop and email technologies.

Which is best ultimately depends on your IT systems deployments, and the degree of virtualised vs physical systems technology, but, as always, the best advice is to do your research online (this portal is a good starting point) and then talk to your reseller or systems integrator.