Virtualization Raises New Cyber-Security Questions for Government

Virtualization can work wonders for an IT environment. Virtualization lets one computer do the job of many consuming less floor space, energy and operational costs than installing more hardware. These virtual machines can be managed remotely, and can store critical data and applications for disaster recovery purposes.

But virtualization comes with a potential drawback. Specifically it introduces a new layer of software on top of the host machine or system, which creates additional infrastructure to manage and secure.

Despite security concerns, however, virtualization's here to stay. According to survey results Microsoft released in April, 71 percent of U.S. retailers use virtual tools to cut costs and gain greater infrastructure control. Experts agree other sectors, including government, will ride the virtual wave for the foreseeable future.

As virtualization becomes common, security must adapt and evolve. IT professionals should ensure they don't scale their virtual environments up higher than they can control. To obtain a manageable virtual environment, it should be built with clearly defined goals, architecture and set policies to gauge performance.

Steps to Security

Mark Ramsey, manager of IT operations for Charlotte County, Fla., said shutting down unnecessary services in the virtualized environment can help decrease cyber-attacks.

"It's probably more important in a virtualized environment, because of performance, that you eliminate unnecessary services from your servers," he said. "If you don't need Internet information services for some specific purpose on one of your servers, don't install it."

There will be less activity to protect and monitor if IT managers shut off unneeded activities. Another benefit is the network will likely run better because it will take up less processing power.

But securing a virtual network takes more than the efficient use of resources.

There are three areas that are different between virtualized and nonvirtualized environments, according to David Greschler, director of integrated virtualization strategy for Microsoft. "First, customers need to secure the virtualization layer by ensuring they are running virtualized applications on a trusted platform," he said. In other words, secure physical resources before running virtual systems on them.

Second, IT staff should isolate virtual machines, Greschler said. One way is to segment virtual machines into groups - one set running on one piece of hardware and another set running on a different piece - based on function and level of importance. This way, if one operating system inside a virtual machine is compromised, it's harder for viruses to infect systems running on other hardware.

"Third, customers must monitor virtual machine-to-virtual machine traffic so that the only communications through the network [are] where policies can be enforced and traffic analyzed," Greschler said.

Sometimes it's hard for people to track virtual machine activity. If they deploy additional virtual machines, they create another layer of machines to manage on top of the ones in their physical environment. This added virtual traffic can lead to security lapses and "blind spots" - areas people can't see in the infrastructure. It's not unusual for networks to be so vast that people lose track of which virtual machine runs what application.

This problem can be solved, but at times, it may not be that pressing of an issue.

"There are very rare cases where customers need full visibility of every sort of piece of traffic going between machines," said Nand Mulchandani, VMware's senior director of product management and marketing. In normal physical data centers, no one views traffic because it's not cost effective. "So when you move to a virtual environment, the loss of that visibility is actually not that big a deal," Mulchandani said.

Security and Management

Suppose you're an IT manager who wants to see what happens in a section of your network. Virtual machine No. 20 is communicating