Virtualization requires the same security as a physical system, including antivirus, intrusion-protection and intrusion-detection systems. It also poses some unique threats, such as the virtualization application itself being prone to attack. We spoke with one expert to learn more about the risks and how to keep your virtual servers safe.
Servers use only a small percentage of their capacities to store data or run applications. Virtualization technology allows multiple applications to run side by side on the same machine. This allows companies to consolidate as many as 20 servers into one machine that could be running databases, e-commerce applications, and a Web server simultaneously.
The return on investment is clear just from hardware costs and lower electrical costs (an estimated 2.5 percent of all U.S. power consumption is for data centers). At the same time, virtualization allows new servers to be put into a production environment very quickly, helping to realize savings on time and manpower.
But virtualized environments face the same threats as physical environments, plus some unique challenges. Jason Yuan, group manager for product management at security firm McAfee, pointed out that companies looking to realize cost savings by storing data virtually need to be aware of these risks.
Where the Trouble Lies
“One of the benefits of virtualization is being able to create a disaster-recovery backup,” Yuan said. In fact, creating a backup can be done with nothing more than a right-click of the mouse. The backup image is typically stored offline on network-attached storage (NAS) or a storage-area network (SAN) until it’s needed, then it’s plugged directly into the production environment. That’s where trouble lies.
“On the day of the backup there might not be a vulnerability, but six months later there may be some vulnerability that was uncovered in that operating environment or the applications that are running,” Yuan explained. If that happens, the network becomes attackable the moment it’s brought online. Yuan has seen it happen; a backup that had a vulnerability that didn’t exist three months earlier was brought online, and was immediately infected by a worm that shut down thousands of machines.
“Virtualization requires the same security as a physical system,” Yuan said, including antivirus, intrusion-protection and intrusion-detection systems. It also poses some unique threats. For example, the virtualization application itself is software that can be attacked. “Last year, the number of vulnerabilities associated with the virtualization environment doubled compared to 2006,” Yuan noted.
So, before moving precious data into a virtual environment, take a look at the protection available. McAfee, for example, recently announced a host of products and services that address security issues in the virtualized environment. It’s embedding VMSafe, a set of APIs from virtualization giant VMware, into its security offerings. Yuan said that will allow McAfee to provide security “underneath” the operating environment, which will in turn improve monitoring and protection capabilities.
McAfee has also built a new Email and Web Security Virtual Appliance for the VMware platform to better protect virtualized environments while giving organizations the same cost benefits as other virtualized applications. Later this year, McAfee will launch a product that will open offline images and ensure they are protected before being put into the production environment.
Yuan said McAfee is also working to integrate its other offerings, such as encryption and data-loss prevention, into the virtualized environment. IntruShield, a network-based intrusion-prevention solution, is already effective against VMWare attacks, he said.
McAfee also announced an update of its virtual infrastructure security assessment service, McAfee Foundstone Professional Services. “It’s a risk-assessment service for anyone who wants to perform a virtualized deployment,” Yuan said. The technology-agnostic service has already been working with Fortune 500 companies and is aggregating best-practices tips into the updated service, Yuan said.