Virtual insecurity: Who's in control of your virtual machines?

What's needed now are "command and control" management solutions

Server virtualization has reached an inflection point in the enterprise at the 10-year mark. Capital expense savings from physical server consolidation are leveling off and early gains in IT operational efficiency are at risk due to rapidly growing and increasingly complex virtual infrastructures. Moreover, business-critical production applications -- the next virtualization frontier -- demand higher levels of service and strict security and compliance oversight, further challenging IT operations teams.

The next phase of virtualization is about control, with the emphasis on efficiency, performance and agility. What's needed now are "command and control" management solutions that go beyond the inventory-focused tools prevalent today. In order to virtualize more workloads faster while protecting returns, next-generation tools need to address access control, policy enforcement, configuration control and activity logging.

The coming decade will be marked as the period during which virtualization matured from an enabling technology into a core data center infrastructure layer -- in many respects, a new operating system spanning every tier of the application stack and affecting all aspects of server and workload management.

While Taneja Group research shows 18% to 25% of application workloads in medium-to-large U.S. enterprises are virtualized, plans are in place to virtualize up to 25% more by the end of 2012. To date, most virtualized workloads have been Tier 2 and below (lower-priority and internal applications), but the clear trend is toward Tier 1, business-critical workload virtualization. Indeed, more than 70% of enterprises surveyed report that they are not only comfortable with deploying critical applications on shared, virtualized servers, but are also actively doing so.

Virtualization in transition: Losing control

The proliferation of server virtualization, as with any disruptive data center technology, is eventually limited by its impact on management and control processes.

Administrators are facing an explosion in the number of virtual hosts and virtual machines (VM) under management, with immature monitoring tools and ad hoc control processes. Inventory management is more difficult and utilization rates suffer from "orphaned" or overprovisioned VMs -- both signs of VM sprawl.

At the same time, the shift from lower-priority workloads to Tier 1 mission-critical workloads requires additional oversight from overworked operations teams, eroding efficiency. Mission-critical workloads depend on consistent, enforced server configurations, and often rely on sensitive data that is subject to corporate, industry and/or government regulations. Without adequate, enforced security controls, compliance risk will continue to escalate, tied to the rate of critical workload virtualization; ideally, compliance risk should rise in a controlled manner as additional workloads are virtualized.

The virtualization effect on IT operations is more than a theoretical concern. According to Taneja Group research into resource sharing in midsize and large enterprises, 89% of data center managers say administrators are losing time due to the limitations of virtualization management tools and processes. Of these, half say at least 10% of administrator time is being lost, while 1 in 5 reported a 25% or more reduction in efficiency.

In our view, most enterprises are just now reaching this transition point. This presents a compelling opportunity to address security and control issues before they adversely affect business user confidence or severely erode IT's ability to manage virtualization efficiently.

Identity crisis: How virtualization changes the Data center

The first step in planning for virtual infrastructure security is to recognize which elements of existing enterprise security, designed for physical environments, still apply. In general, all existing tools and processes for identifying data, network, system and application risks and vulnerabilities should be carried forward. These include access control, antivirus, intrusion detection, activity monitoring, firewall and related strategies and technologies.

In addition, the virtualization platform itself must be included as a new set of secured resources. This includes the hypervisor; virtual clusters, hosts and machines; virtual network adapters, switches and firewalls; virtual storage arrays and disks; and more. In many cases, virtualization's most attractive features are the same ones that make it more difficult to control.

Virtualization changes the definitions of and the lines of demarcation between IT resources, blurring or erasing traditional boundaries. For example, VMs are no longer just servers, but are also storage (a collection of files on disk). The VM can encapsulate sensitive files, so it is also "data" that may need to be protected. And VMs often contain virtual network adapters and hypervisors may include virtual network switches.

If a server is also data and/or a network device, and may reside on one of many physical hosts, traditional methods of identification are no longer useful. A finer-grained virtual object-based IT resource taxonomy is required.

Who "owns" these new virtual resources, the server, storage, or network teams? Who should or does have access, and what are they allowed to do? How are different roles allowed to access each resource type? Who owns data protection, recovery and availability planning?

Traditional separation of duties in the data center, based on physical IT resource definitions, do not adequately describe the access requirements or permissions necessary to support cross-domain workflows in a virtual infrastructure.

Abstraction everywhere creates complexity

Virtual resources are inherently mobile and connect to one another via layers of abstraction that did not exist in the physical environment. These connections are dynamic and often transient, and administrators can no longer rely on fixed mappings between tiers in the IT stack to monitor activity or control access. Visibility, at the resource level as well as across virtualized domains at the infrastructure level, is reduced.

Virtual resources are easy to create, deploy and reconfigure. These are all features that accelerate adoption, but stymie security and control planning. Without locking down the environment, how can operations teams encourage flexibility while still enforcing configuration controls?

In IT operations, it's well known that you can't manage what you can't measure. However, it's equally true that you can't measure what you can't even see. Traditional security strategies focused on element control: providing visibility into the activities that affected discrete servers, switches, files, applications and so on. Elements were static and typically identified by physical location. Virtualization changes the game. Now, the run-time interaction of these elements becomes as important to their identities as their configuration profiles. A file is just a file, unless it's also a virtual machine. In other words, the dynamic virtual infrastructure becomes the most important element to secure and control over time.

Taking control: Virtual infrastructure security essentials

Optimization efforts for the virtualization platform should address four essential components of a comprehensive security and control strategy: access control, policy enforcement, configuration control and logging. Within each of these, optimization must leverage existing security infrastructure, while augmenting it with new virtualization-aware functionality and enabling higher levels of automation. Our recommendations for optimization include:

* Access control and roles: Centralize and rationalize access methods to reduce redundancy and inefficiency; provide finer granularity to accommodate the range of new virtual resource types, user roles and access protocols.

* Objects and security policies: Simplify policy design and modification processes; support policy import/export; leverage in-place directory servers and virtual infrastructure inventory/topology/user descriptive data; improve visibility for mobile/transient virtual resources via labeling.

* Configuration control: Support industry-standard and third-party configuration assessment frameworks; monitor all configuration changes by role and object; improve response times by tracking configuration changes continuously; reduce compliance risk via automated remediation.

* Logging and compliance: provide continuous, consolidated and granular logging for faster forensic analysis; support user-specific logging; leverage in-place activity logs and system logging tools; reduce compliance risk via real-time monitoring and alerts.

These enhancements will allow virtualized data centers to achieve the same level of operational readiness and compliance as found in primarily physical infrastructures.

Where should virtualization support teams look for solutions? First, it's important to recognize that security and control are essential -- not optional -- for successful Tier 1 workload virtualization. Regulatory compliance is widespread and continues to grow, affecting businesses of all sizes, across most industries (HIPAA, Sarbanes-Oxley, PCI DSS, and more). If your data or processes are not subject to external compliance review today, they likely will be in the near future. Therefore, each vendor's business focus, security expertise and compliance knowledge should be heavily weighted in any evaluation.

Also, the intent and limitations of security capabilities provided by the virtualization platform vendors should be understood. In general, they are designed to enable third-party, added-value security solutions, not replace them. For example, VMware offers VMsafe technology for deeper inspection and enhanced control of virtual machines, to support third-party intrusion detection, antivirus and related solutions. VMware also maintains a hardening guide, documenting best practices for secure VM configurations. Both offerings enhance platform visibility and control, but are not complete security solutions.

In summary, the virtual infrastructure presents new complexity and mobility challenges that complicate security planning and threaten to limit the rate of business-critical workload virtualization. Virtualization management solutions to date have prioritized rapid provisioning and consolidation activities over access and configuration controls. In our view, a higher degree of virtualization management maturity is required moving forward, enabled by new management tools that emphasize control and optimize efficiency through automation.

Bartoletti is senior analyst and co-head of the virtualization practice at Taneja Group, an analyst firm that specializes in making sense of complex and emerging technologies. E-mail him at