Mobility and cloud computing are currently hot topics in the IT space, enabling users to work on the move and from practically anywhere in the world. However, in order to deliver the full capabilities of these two technologies, virtualisation is critical to creating a consistent user experience across devices as well as allowing access to storage and network resources, says Fred Mitchell, Symantec division manager, Drive Control Corporation.
Although virtualisation can offer many benefits to any organisation, such as improving scalability and overall hardware resource utilisation, there are still a number of challenges. One of the most significant is security in this virtual world.
Security technologies and practices have not yet adapted to this change in IT infrastructure, and the nature of virtualisation itself creates its own security risks. Security needs to be integrated into the virtual environment from the ground up, and not as an afterthought, if organisations are to take full advantage of virtualisation, the cloud and mobility without leaving themselves vulnerable to security threats.
Thomas Bittman, vice-president of Gartner, says that “for most organisations, virtualisation will provide the foundation and the stepping stone for the evolution to private cloud computing. However, the need for security must not be overlooked or ‘bolted on’ later during the transition to private cloud computing”.
Along with the traditional security risks associated with any IT environment, including malware, data loss, and missing security updates and patches, there are new risks that are exclusive to virtual environments that must be taken into account. The growth of virtualisation requires organisations to review their entire security portfolio to ensure that protection is not limited to physical infrastructure.
Reliance on traditional security technologies is no longer sufficient, as firewalls and other perimeter-based approaches become ineffective in a dynamic environment such as that created by virtualisation. In addition, accelerated provisioning of services creates difficulties when it comes to ensuring that security risks have been identified and addressed.
Mixed-trust workloads are another challenge, as sensitive data may co-exist with other data in virtualised systems, meaning that proprietary and confidential information is at risk of exposure should it come into proximity with virtual systems that are not appropriately secured and managed.
The structure of a virtualised environment also poses a security challenge. If a virtualisation layer is compromised, there is an impact on all hosted workloads, which can expose certain virtual machines or enable intruders to intercept communications between virtual machines.
A lack of adequate controls on administrative access to hypervisor layers – a software layer allowing several operating systems (OSes) to share a single hardware host — creates another challenge, as users entrusted with special privileges may be able to gain inappropriate access to workloads and information.
Alternatively, users can even acquire the ability to delete entire virtual machines, which can cause irreparable damage to availability and uptime. Virtual networks also introduce new layers of complexity, which make central visibility and control far more challenging.
The IT environment of the future incorporates both physical and virtualised infrastructure, along with an increasing variety of cloud-based services. Consistently and seamlessly protecting information, systems and people in this hybrid environment requires planning that takes into account several aspects.
These include: advanced security threats; sensitive data held in virtualised environments; distributed applications across physical, virtual and cloud infrastructure; accelerated provisioning and demand for new applications to be made available rapidly; shared resources; and a loss of visibility on security controls.
To address these aspects, security products such as endpoint protection, data loss prevention, compliance and identity management need to interoperate and communicate to improve incident prevention and response. In addition, IT requires a unified view of information and infrastructure security, which requires integration between security products and application operating environments.
Security needs to be automated to reduce the risk of user error, and end-to-end visibility assists with building a comprehensive risk and compliance view of the entire eco-systems. This ensures that physical, virtual and cloud infrastructure can be more effectively secured.
Ultimately the major benefit of virtualisation is enhanced agility, but in order for enterprises to fully leverage this benefit, the risks associated must be managed. Meeting the challenges of ensuring security in a virtual world requires a combination of advanced technology, comprehensive security strategy, and an up to date view of the risks and trends in the market that relate to virtualised security threats.
