Virtual data safety

According to Schutz, there are three things to keep in mind when going to a virtualised environment:
Because a virtual environment includes a hypervisor that hosts virtual machines, it's important that layer is secure and trusted.

Second, users must be sure that virtual machines are isolated from one another, so that one infected virtual machine does not infect the other machines on the hypervisor.

And third, users should monitor traffic and ongoing operations in the hypervisor in real time.
Fortunately, virtualisation gives users the option of having a cleaner monitoring environment, particularly the ability to watch activity closely on a per-machine basis.

"It de-conflicts a lot of the monitoring difficulties," says Becky Bace, president and CEO of Infidel, a network security consulting practice in Scotts Valley, Calif. "You can monitor for a certain type of activity, and block everything else on a particular virtual machine without worrying about denying traffic elsewhere."

An attack on a hypervisor, however, can have a big footprint - it would leverage the power of the hypervisor.
"One way to prevent infection is to allow the machines to only communicate through the [virtual] network where policies can be enforced," says Schutz.

Managing virtually
The linchpin in all of this is management - especially policy management. Virtual security would be ineffective if management is slighted. The technology that secures virtual environments should share management consoles with physical management of endpoints. In turn, security technologies for virtual environment should be integrated with consoles that manage virtual machines - that is, the management of the virtual machine environment should integrate with the management of virtual machine security.

"Virtualisation takes strong planning and also takes a close look at the security that is already in place. An organisation may not always have the capability to move physical security controls into a virtual world," says IBM's Skapinetz. "So, the first step in moving to the technology is to identify any gaps and identify a set of guidelines and best practices for dealing with the issues."

Microsoft's Shurtz adds, "It's important to have up-to-date patches - there should be strong policies in place on keeping things current."

In fact, virtualisation problems can be more operations and organisational than they are technical, according to Chris Hoff, chief security architect at Unisys. It depends, of course, on the size of the organisation and how siloed they may be.

"As you design and build a heavily virtualised IT infrastructure, you better make sure that you architect and design the security in," says Hoff.

Virtual compliance
What about compliance and meeting regulatory requirements?

"In a business environment, you don't want to incur legal liabilities - you don't want to have your own assets compromised in such a way that an attack can be turned around and used as an attack mechanism against someone else," says Infidel's Bace.

You can be compliant, but it takes careful planning. When you have a lot of moving parts, it can make the certification process more complex.

"You can still guarantee levels of isolation. You can set up the same components of access control and encryption," says Dan Powers, VP of brand, strategy, marketing and business development at IBM ISS. "Is it [certification] attainable? I would say yes."

Tools for dealing with compliance can be leveraged for a virtual world.

"The majority of the kinds of things you need for adequate security exist today. You can lock down the data, provide logging and tracking needed for audit purposes, and keep service management records on how you bring up environments and take them down," says Unisys' Hoff.

Virtualisation is a technology whose time has come. Many of the primary problems in deploying a virtualised environment can be solved with proper planning. A carefully thought-out deployment may even yield fewer security problems. And at the very least, the decreased costs can far outweigh any increased cost of added security measures.