Virtualization stretching IT security pressures

IBM is hoping to broaden the appeal of its Sametime enterprise IM software by expanding the current stand-alone offering into a family of products in a bid to better compete with other unified communications players like Microsoft and Cisco.

Virtualization technology, which allows multiple operating systems to run different applications on a single computer, has caught the attention of IT managers for its promise to let them better manage and utilize corporate IT resources.

However, some IT managers and security researchers warned that the emerging technology also makes corporate systems far more vulnerable to hackers.

Chad Lorenc, information security officer at a financial services company that he asked not be named, said that IT security and compliance projects are far more complex undertakings on virtual machines than on servers that run a single operating system and a single application.

"It is a very complex issue," Lorenc said. "I'm not sure you are going to find a single solution" for addressing security issues in a virtual environment.

"There is no silver bullet," he added. "You have to tackle security from a people, process and technology standpoint."

Virtualization technologies allow companies to carve out multiple virtual machines within a single physical resource, such as a server or storage array.

Each virtual machine runs a separate operating system that runs its own applications, functioning exactly like a stand-alone computer.

The technology allows companies to consolidate applications running on multiple computer systems into a single server, which promises to ease management requirements and allow hardware resources to be better utilized.

Analysts noted that the technology has been around for several years, but IT organizations started to increasingly use it as new virtualization systems emerged in recent months from companies like Intel, Advanced Micro Devices, VMware, Microsoft and IBM.

But as the technology spreads, it's important that IT managers understand that collapsing multiple servers into a single box does not change their security requirements, said George Gerchow, technology strategist at security vendor Configuresoft's center for policy and compliance.

In fact, he said, each virtualized server separately faces the same threats as a traditional single server.

"If a host is vulnerable, all associated guest virtual machines and the business applications on those virtual machines are also at risk," he said.

Therefore a server running virtual machines faces more danger from a single exploit than a single physical server, Gerchow said.

He noted that virtualization software allows developers, quality assurance groups and other corporate users to set up virtual machines with relatively little effort, and without IT oversight.

Such virtual machines can pop up, move across systems or disappear entirely on an almost constant basis if IT managers don't take measures to maintain control of each of them.

"IT departments are often unprepared for the complexity associated with understanding what virtual machines exist on servers and which are active or inactive," he said.

Without the ability to keep track of virtual machines, companies often cannot patch flaws or update systems when necessary, he said.

"When you have a virtual environment users tend to start piling on the virtual servers, " Lorenc said. The combined value of the assets on the host system can get "very high, very quickly," he said.

Even if IT personnel do keep track of all virtual machines running on a server, they can still face problems installing patches or taking systems offline to perform routine security upgrades, Gerchow added.

He noted that the risks associated with patching holes and upgrading applications grows each time a new virtual machine is added to a server.

Lorenc suggested that companies install tools that can quickly detect and discover virtual machines as they are installed on a corporate server. He also advised that companies create strong policies to control the spread of virtual machines.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?