Tackling Virtualized Environment Security

Tag: Environment Control Box

"You can have a physical box with 20 virtual machines (VMs) on ittalking to each other all day long and there's no way to get insidethe network and find out what's going on, so all the tools peoplehave bought over the last 10 years or so have to bere-instrumented."

There are three facets to the problem, David Lynch, vice presidentof marketing at Embotics. These are the loss of identity; mobility; and the loss of controlby the IT security team. In the physical world, a server is identified in the environment byits physicality -- the rack or row number, or something associatedwith the physical machine -- and, when it's virtualized, "you, inessence remove its identity," he said. To make things worse, cloning a virtual machine results in severalidentical copies, and that creates system management, maintenanceand updating problems because it's difficult to identify anddifferentiate the various clones of a VM from one another.

Adhering to compliance

Ensuring VMs are adhering to compliance and separation rules isalso difficult because VMs are highly mobile, and can be migratedautomatically to a different physical server if the resources ofthe one they're on are inadequate.

For example, an enterprise's human resources systems or credit cardsystems could end up running on a server where they could bepotentially accessed by a Web server application when the VM theyare running on is kicked over automatically to a new physicalserver.

Consolidation, which is the main reason corporations opt forvirtualization, can also lead to this problem because "you mighthave had separate VLANs (define) (virtual local-area networks) and segments for different kinds ofdata -- customer data, credit card data and so on -- but when youconsolidate 20 physical servers into a single ESX host, all that data is on the same virtual switch so, more oftenthan not, your data and network segmentation are lost," MichaelBerman, Catbird's chief technology officer.