Yesterday I caught a brief but an interesting exchange between two of the people I follow on Twitter. “All my storage conversations used to push to virtualization. Now all my virt / cloud conversations push to backup or security,” said Ed Saipetch, a senior vSpecialist at EMC Corp. Greg Knieriemen, a vice president at VAR Chi Corporation, retweeted this with the comment, “Agree.”
I can also agree. My own conversations since I started covering virtualization have followed a similar path, away from the hypervisor and back toward concerns about the underlying infrastructure. As Saipetch notes, this is particularly true when it comes to data security (as well as virtual backup, which is mostly a separate discussion).
Survey suggests struggles with virtualization security rise in proportion to percent virtualized
The experiences and discussions @edsai, @Knieriemen and I had are anecdotal, but a recent survey of just under 300 networking pros showed a more scientific correlation between the percentage of virtualization in an environment and the identification of security as a top problem.
“As companies virtualize more of their critical servers and resources, security becomes a greater issue,” wrote a Stephen Brown, product marketing manager for Network Instruments which conducted a survey in an email to The Virtualization Room. “Companies ranking security as their top concern had more than half of their servers (53%) virtualized and one-third of storage (29%) virtualized. This compared to the general virtualized population where 43% had over half of their servers virtualized and 26% had over half of their storage virtualized.”
Standards offer some guidance, but is it enough?
One approach the IT industry is taking to improving virtualization security is the development of standardized and enforced guidelines for how organizations handle sensitive data. . But it’s an arduous task, as demonstrated by the lengthy process that went into the latest PCI DSS 2.0 spec . The latest version of the spec finally acknowledged virtualization as acceptable, after more than two years of development and debate. The spec has yet to be supplemented with virtualization-specific guidance for IT practitioners.
Chris Richter, VP of security products for Savvis, said there are generally two “schools of thought” among security auditors when it comes virtualization. One holds that today’s virtual security controls are adequate for use in closely regulated environments. The other maintains that today’s procedures are not yet adequate for validating e virtual security controls and that there are hypervisor exploits of which we are not yet aware.
Thus, even with the general blessing of virtualization in DSS 2.0, whether virtual environments pass muster is still largely left up to individual auditors, who remain divided on whether virtual environments can truly be secured at this stage of their development.
Meanwhile, Edward Haletky, CEO and a virtualization security, SMB and cloud analyst for the Virtualization Practice, also points out that other regulations, like the Health Insurance Portability and Accountability Act (HIPAA), which focus on keeping sensitive data confidential (i.e., encrypted), and which haven’t been fully brought to bear in the virtual world.
“Right now if you’re a virtualization administator, you can pretty much see all the data. Cloud admins can see data. IT as a service admins control the service catalog and may be able to see data,” Haletky said.
Keeping heavily classified data confidential may require a virtual version of the trusted platform modules (TPMs) that are currently used to authenticate hardware devices by applying cryptographic hashes that ensure the software running on them has not changed.
‘Virtual TPMs’, as well as data encryption that can be applied more granularly at the level of virtual disks and memory, rather than to whole physical disks, would go a long way toward improving enterprise virtual security overall, Haletky says. “We need data confidentiality enforced at the VM level through encryption, and we’re not there yet.”