Despite the complexities and security uncertainties tied to introducing virtual machines to the company environment, IT pros must move forward with virtualisation projects and accept the risk, according to a virtualisation expert.
Alessandro Perilli, a virtualisation security expert, told attendees at Burton Catalyst Conference '08 to not blindly trust virtualisation methods and to use common sense security practices when deploying virtualisation technologies. Perilli is the founder and principal analyst of False Negatives, as well as the writer of the Virtualisation.info blog.
"You have to accept fact that your introducing a new layer that's going to extend the investment that you've made to your systems," Perilli said.
Virtualized servers have the same kind of security challenges that the physical infrastructure provides, Perilli said. But IT security pros and administrators must retool their operational framework to handle the complexities being introduced into the environment, he said.
"The weakest part of the security defense we have in our infrastructure is related to the way we manage our operational framework," he said. "You cannot handle the capability of the virtual center to be dynamic if you don't have a strong operational framework."
Perilli said the risk of attacks on VMs is low, but will likely rise as adoption increases over the next several years. When you add virtualisation to the environment, you're adding software, he said, pointing out that VMware's patch releases increased from about 15 patches in 2006, to 70 patches in 2008.
"No security vendor can demonstrate that it's completely secure," he said.
Doug Martin, a senior manager of information security with Intuit Inc., said his company is moving forward with plans to roll out virtualisation into full production. The maker of the popular Quicken and Turbotax software plans to cut costs by reducing a number of its physical servers, Martin said.
"We're nibbling at full production," he said. "We want to be able to deploy without limiting our ability to support future technology."
Jorge Mata, CIO of the Los Angeles community college district, which operates several satellite campuses serving more than 140,000 students, talked about the success his team had deploying virtual servers. Currently the district has 120 virtual servers and 15 physical servers. The deployment didn't come without some headaches, he said, such as a complete failure of the district's email system.
"We went through spectacular failures," Mata said. "We were provisioning things ahead of time. In terms of storage, we were over provisioning."
Perilli said some vendors will be releasing VM lifecycle management software to help companies create a strong authorisation framework within virtualised environments. Companies can still start with the basics, he said. They should set up different VM hosts for each zone on different security levels. "With the virtualisation platforms we have today, you cannot just attach the current security layer inside the virtual machine," he said.
"Virtualisation is not a brand new word. Bring what you know to the table," Perilli said.