Virtualization Security: Ignore at Your Own Risk

Just a few weeks after Windows IT Pro attended the popular (and attendee-packed) VMworld 2008, we’re starting to hear from more virtualization vendors about where they think the market is headed next. Now that VMware has sketched out their product roadmap, many vendors think that virtualization security is the Next Big Thing.

There are a host of new surveys, whitepapers, and market research pointing to the need for virtualization security, along with a number of new products and product upgrades. I recently spoke with Jim Waggoner, the principal product manager for the Endpoint Security Group at Symantec, and he related some eye-opening stories about IT professionals making uninformed (and potentially catastrophic) designs about virtualization security.

"I was recently speaking with an IT professional about how he planned to implement security for virtual machines in his IT infrastructure," says Waggoner. "He mentioned that he was using desktop virtualization, but didn't plan to implement any security for those desktop VMs. He said 'I'll just erase the VMs if there is any trouble, and create new ones.'"

Waggoner has been working on endpoint security as Symantec for more than a decade, and believes a lot of the same basic security precautions used with success on physical hardware can be used with virtual machines as well. Waggoner mentioned five general VM security tips that IT pros can follow to improve security in their virtual environments:

  • Patch Apps and OSes: Just like physical machines, keeping apps and OSes patched is a must.
  • Mind Your Configuration: Poorly configured VMs can lead to security and management problems, so make sure you have a solid configuration policy in place.
  • Be Aware of Identity Management Risks: VMs are very easy to create and deploy, but that ease of creation can also lead to problems with access. Are you allowing only the right people with the correct levels of access to create VMs?
  • Keep Your High Availability Options Open: Server consolidation can be a wonderful thing, but consolidating VMs to a single server creates a single point of failure. Be sure you have a functional high availability and backup and recovery plan in place to maintain uptimes and avoid disaster.
  • Use Security Software: Regardless of which security software you use, make sure that your VMs are running suitable security software. Explore VMware's VMsafe technology for the latest on securing your virtual environments, and make sure your existing security vendors have good virtualization support and licensing options.

Waggoner's concerns are supported by a recent survey of VMworld 2008 attendees conducted by Shavlik Technologies (link to PDF). Shavlik's study revealed that virtual machines are becoming ubiquitous, but security for those VMs is lagging. According to the survey, more than 80 percent of respondents thought securing vrtual machines was “very important to critical,” but only 35 percent are actually using VM security. Shavlik's survey also indicated that 32.4 percent of respondents had no security scheme currently deployed, 37.8 percent were currently evaluating security options, and only 34.9 percent were using an existing security solution. Granted, a survey sponsored by a security vendor that stresses the need for more security isn't surprising. Yet Shavlik's survey is supported by more impartial research, including a study by Research and Markets, point out that virtualization security is an emerging battleground for IT professionals.

"The rapid adoption of virtualization technology has created multiple benefits for IT organizations," the Research and Markets report reads. "However, these benefits can quickly be negated if virtualization opens a door to a major security incident."

Did you Attend VMworld 2008? Tell Us What You Think!
Did you attend VMworld 2008 as an attendee, speaker, or exhibitor? We’d like to hear about your experiences, so please send your thoughts about VMworld 2008 to Jeff James. Be sure to put "VMworld 2008 Feedback" in the email subject line so we can spot your feedback quickly.

Wanted: Virtualization Horror Stories
Have you ever had a bad experience with a virtualization deployment? We’d like to hear about your experiences, so please send your thoughts to Jeff James. Be sure to put "Virtualization Horror Story" in the email subject line so we can spot your feedback quickly.

Virtualization News
by Jeff James

Virtualization Congress Cancelled publisher Alessandro Perilli recently informed sponsors that his first Virtualization Congress event has being cancelled. In an email to sponsors, Perilli explained the reason behind the cancellation of the event. "The event website was visited with over 50,000 unique hits from March 4th to September 18th. We collected 28 sponsors, and built one of the best speakers list ever seen on virtualization conferences. Despite that, the amount of delegates that registered so far (over 270) and the current registration rate are unsatisfying and unable to match the expectation that we had in order to go forward with this event."

Microsoft Updates Virtualization Learning and Certification Offerings
Microsoft recently sent word that it has announced a new virtualization certification program centered on Windows Server 2008 virtualization with Hyper-V. Four new exams are available:

  • Microsoft Desktop Optimization Pack (MDOP) (Exam 70-656)
  • System Center Virtual Machine Manager (Exam 70-403)
  • Windows Server 2008 Application Infrastructure (Exam 70-643)
  • Windows Server 2008 Virtualization (Hyper-V) (Exam 70-652)

Microsoft says that new classroom and online options are also available.

Virtual Computer Announces NxTop, Opens Beta Program
Virtualization is changing how organizations are managing their IT infrastructures, and Virtual Computing is planning to take that one step further with their NxTop virtualization product. According to Virtual Computing, NxTop is a "combined client-side virtualization and management server solution that offers numerous advantages over traditional PC management, server-side virtualization and existing client-side virtualization solutions." NxTop seems to be focusing on the mobile computing market as well.

VMware Upgrades to Workstation to 6.5
VMware has released version 6.5 of VMware Workstation, a desktop virtualization application aimed at technical professionals. Workstation allows multiple operating systems, including most desktop and server editions of Windows and Linux, to run simultaneously on one PC. Virtual desktops have many uses, but Workstation has many features targeted specifically at software developers. By allowing developers to create virtual machines (VMs) quickly with a variety of configurable specifications, the software lets them test their products in many different operating environments without leaving their PCs or even rebooting.

Catbird Unveils V-Security 2.0
Virtualization security is getting lots of attention these days, and Catbird hopes to allay the fears of IT pros nervous about VM security with the release of V-Security 2.0. This updated version of V-Security features OVF-compatability, event tracking, compliance reports, a network slow analyzer, and a feature that allows the creation of VM "TrustZones". Edmundo Costa, Catbird COO, said in a statement that "V-Security 2.0 reflects our experience working with customers who must meet security and compliance requirements in demanding enterprise environments."

Related Reading:

The Virtualization UPDATE Archive
Did you miss a previous issue of Virtualization UPDATE? Every issue of Virtualization UPDATE is now available online in the Virtualization UPDATE newsletter archive. Click here to access.

Virtualization Tips and Tricks
Hyper-V Virtual Machine Snapshots

by John Savill

Q. What happens when I take a Hyper-V virtual machine (VM) snapshot?

A. Before we talk about snapshots, you need to understand a type of virtual hard disk (VHD) called a differencing disk. A differencing disk is an additional VHD file that effectively sits on top of another VHD file and works with the existing VHD. Any write operations are written to the differencing disk, so that no changes are made to the existing VHD. Read operations are first checked against the differencing disk to see whether updated content was written to the differencing disk; if the content isn’t in the differencing disk, then the content is read from the additional VHD. This setup effectively freezes any changes to existing content by storing changes separately on the differencing disk.

Read more about Hyper-V virtual machine snapshots.

In the next issue of Virtualization UPDATE (10/08/08):

  • Commentary: Virtualization Horror Stories
  • New virtualization product announcements
  • …and more virtualization commentary, news, tips, and tricks

Not a subscriber? Click \[here\] to subscribe to the Virtualization UPDATE newsletter.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.