FRAMINGHAM, 8 NOVEMBER 2010 - At the Computerworld Premier 100 IT Leaders conference in March, one CIO stood up to express his unease about the security of a virtual infrastructure that has subsumed more than half of his company's production servers. Two other IT executives chimed in with their own nagging worries.
None of the executives in that room wanted to admit on the record that they feel vulnerable, but Jai Chanani, senior director of technical services and architecture at Rent-A-Center Inc., feels their pain. "One of my biggest fears is the ability to steal [virtual servers]," he says.
How concerned is your organization with the issue of security in a virtualized environment?
* Very or extremely: 32.7%
* Somewhat: 36%
* Minimally: 23.7%
* Not at all: 7.6%
Source: TheInfoPro survey of 214 IT security professionals, November 2010
Chanani's team has about 200 virtual servers operating as file, print and, in some cases, application servers. But, for security reasons, his shop doesn't use virtualization for the company's ERP system, databases or e-mail.
Michael Israel, CIO at amusement park operator Six Flags Inc., voices a different concern. For him, the most unnerving scenario is a rogue administrator moving virtual servers from a secure network segment onto physical hosts in an unsecured segment, or creating new, undocumented, unlicensed and unpatched virtual servers. "The last thing I want is 25 servers out there that I don't know exist," he says.
John Kindervag, an analyst at Forrester Research Inc., says he's heard stories from clients who have had VMware's vCenter management console compromised, enabling the attacker to copy a virtual machine that can then be run to access data. "When you steal a VM, it's like you broke into the data center and stole a piece of hardware. It's potentially devastating," he says.
"We worked for many years with customers on best practices that make this a complete nonissue," says Venu Aravamudan, senior director of product marketing at VMware Inc. He says most users address such risks by following best practices such as creating an isolated network segment for managing the resources, and creating role-based access controls.
The migration onto virtual servers has saved businesses huge sums of money as a result of consolidation and improved efficiency, but as virtualization gobbles up more and more production servers, some IT executives are getting indigestion. Has anything been overlooked? Could a catastrophic breach bring down critical applications -- or perhaps an entire data center?
"Customers wake up one day, realize that 50% of their business-critical apps reside on virtual infrastructure and say, 'Gee, is that secure?' That's very common," says Kris Lovejoy, vice president of strategy at IBM Security Solutions, a security consultancy.
Sign up for Computerworld eNewsletters.