The best way to create a secure virtual infrastructure is to get security experts involved early. Gartner estimates that as many as 40% of IT shops don't seek IT security's input on a virtual deployment until after the system is already built and online.
The problem becomes more evident as mission-critical applications move into virtual machines. "When you start looking at virtualizing SharePoint or Exchange or ERP, you really are running into sensitive data. That forces the issue," MacDonald says.
By then, organizations are trying to bolt on security that should have been designed in from the beginning. That kind of after-the-fact redesign work can get expensive. "CIOs should make sure they have their top people in the loop when designing this type of architecture," MacDonald says.
It all comes down to policy, contends Condit. "If you don't have a strong security policy in place, a virtual infrastructure is going to show up those weaknesses much more quickly because things happen more rapidly," he says, referring to how quickly virtual servers can be created and then moved around between physical host servers.
CIOs are right to worry. Says Condit, "A certain healthy level of paranoia is always a good thing."
Beware the All-Powerful Admin
In an unchecked, unmonitored virtual environment, administrators are all-powerful -- and that's not a good thing, consultants and IT executives agree. "This gives server admins the keys to the kingdom, and most of the time they don't understand the security risks," says Vauda Jordan, senior security engineer for the Phoenix city government.
For example, administrators may create a virtual FTP server that compromises security. Or they may inadvertently use a virtual-machine migration tool to move a server onto different hardware for maintenance reasons, without realizing that the new host is on an untrusted network segment.
Failure to implement best practices, or to establish a clear separation of duties in virtual infrastructure, is an all-too-common problem, says Andrew Mulé, a senior security consultant at RSA. "Folks still today don't like to practice segregation of duties. They give the crown jewels to a small number of people," Mulé says. He recommends developing a strong change-management process that includes issuing change management tickets.
KC Condit, senior director of information security at Rent-A-Center, agrees. "In the virtual world, there is no inherent separation of duties, so you have to build that in," he says. Change management, configuration management and access control are vital to securing the virtual infrastructure.
Compliance is another concern. As director of systems engineering at the Council of Europe Development Bank, Jean-Louis Nguyen needs to monitor activity to ensure that the administrators of 140 virtual machines comply with regulations and management requirements. The bank tried using VMware's logging capabilities but needed a better way to consolidate the information. "Getting at those logs was nontrivial," he says. He ended up using a dedicated tool from HyTrust that provides a central log of all activity.
Sign up for Computerworld eNewsletters.