As enterprises gallop ahead toward virtualizing their IT infrastructures,
security and compliance issues are going to slow them to a crawl.
That’s because virtual environment security is nothing like security in the
Security measures in the physical environment are based on the servers being
fixed, having a constant identity, and being easy to check on, but the virtual
environment is always fluid, always changing and difficult to get a handle
Worse still, the tools and processes that ensure security in the physical
environment just don’t work in a virtualized one.
“The existing tools for remediation, discovery and so on aren’t for the
virtual world,” Chris Farrow, director of product strategy at virtualization
policy management vendor Fortisphere, told InternetNews.com.
“They don’t understand the virtual
architecture is dynamic, virtual machines can be turned on or off, and
typical scanning and provisioning tools don’t understand the concept of machines
being able to migrate on the fly, an entire machine that you can capture on a
thumb drive,” he explained.
“They expect a box that’s on 24×7, is always sitting on a rack somewhere and
not dynamically changing its identity and nature or being moved easily from one
host to another.”
The procedures for regularly assessing the IT environment, finding out which
boxes are running what software, for patch management and for provisioning are
“great for the physical world, but not for the virtual world,” Farrow said.
“You can have a physical box with 20 virtual machines (VMs) on it talking to
each other all day long and there’s no way to get inside the network and find
out what’s going on, so all the tools people have bought over the last 10 years
or so have to be re-instrumented.”
There are three facets to the problem, David Lynch, vice president of
marketing at Embotics, told InternetNews.com. These are the loss of
identity; mobility; and the loss of control by the IT security team.
In the physical world, a server is identified in the environment by its
physicality — the rack or row number, or something associated with the physical
machine — and, when it’s virtualized, “you, in essence remove its identity,” he
To make things worse, cloning a virtual machine results in several identical
copies, and that creates system management, maintenance and updating problems
because it’s difficult to identify and differentiate the various clones of a VM
from one another.
Adhering to compliance
Ensuring VMs are adhering to compliance and separation rules is also
difficult because VMs are highly mobile, and can be migrated automatically to a
different physical server if the resources of the one they’re on are
For example, an enterprise’s human resources systems or credit card systems
could end up running on a server where they could be potentially accessed by a
Web server application when the VM they are running on is kicked over
automatically to a new physical server.
Consolidation, which is the main reason corporations opt for virtualization,
can also lead to this problem because “you might have had separate VLANs (define)
(virtual local-area networks) and segments for different kinds of data —
customer data, credit card data and so on — but when you consolidate 20
physical servers into a single ESX
host, all that data is on the same virtual switch so, more often than not, your
data and network segmentation are lost,” Michael Berman, Catbird’s chief
technology officer, told InternetNews.com.
Article courtesy of