A data centre security breach is every executive's worst nightmare. After all, the data centre is where your company keeps its most confidential and commercially sensitive information about its customers and contracts.

With the steady uptake of virtualisation technologies, however, many companies are introducing security vulnerabilities without even knowing it, says Lewis Honour, a security specialist at Logicalis.

"When companies virtualise their data centre servers, the security technologies and methodologies that they previously used to safeguard physical servers no longer apply," he says. "In effect, their secure data centre is now anything but secure."

There are, he adds, three main areas of risk:

1) Communications between servers

"In the world of physical servers, individual machines can be securely segregated from each other using firewalls and other network security tools," says Honour. "In the virtualised world, if one server has a vulnerability which is successfully compromised by a hacker, then that hacker can quickly penetrate the entire infrastructure - it's like firing a bullet in a sealed room," he says. Market analysts such as Gartner, as well as leading virtualisation company VMWare, are warning customers that they need to address this issue early on in their implementation, he says.

2) Patch management

In the virtual world, the patch management challenge is exacerbated, says Honour. "Each virtual server will need to be patched, even if they all reside on the same physical machine," he points out. As a result, procedures and policies for patch management will need to reassessed.

3) Rogue machines

Virtualisation offers a great opportunity for both hackers and malevolent insiders to set up rogue software programmes on your corporate servers. After all, when a single machine is able to run hundreds of different programmes, how can you tell when a new one has been introduced?

In the rush to virtualise, many companies don't give these problems sufficient attention, says Honour. But increasingly, Logicalis's experts are helping more security-aware organisations to tackle them head-on, using a new breed of security tools from specialists such as Reflex Security, which concentrates specifically on the world of virtual servers.

"The worst thing you can do is turn a blind eye to potential problems," he says. After all, by the time you open that eye again, your corporate data could be in anyone's hands.

Your Comments and Questions

Lewis Honour, 8 months ago

The language of security might be the same but the execution and the application of security in an physical environment versus a virtual environment have little in common. For any P2V (Physical to Virtual) project security needs to be much higher on the 'to do' list. Perhaps second only to the selection of the virtualisation technology. Previously in a physical environment you could get away with adding security as an afterthought but because of it's nature virtual environments need to be 'Secure by design' Security considerations include not only confidentiality but also integrity and availability of the systems. So if for example a rogue Virtual Machine is created that is hosting a peer to peer application and consequently we cannot access a legitimate VM because all of the network resources have been consumed then we have an issue. With respect to the question from Amanda: We have to be pragmatic and measure the value of the data (including confidentiality) and ensure we apply the correct controls to protect those data. However if the data is protected by encryption but we cannot acces the systems then we are equally challenged.

Mandy Shaw, 8 months ago

I don't think it's quite as depressing a picture as that, Amanda. Yes, if your very confidential data is virtualised into the same hardware as another server that has an exploited vulnerability, and if you're using a virtualisation technology that doesn't isolate that vulnerability, then you've got a problem. But the degree of virtualisation will always vary across your server estate. There's nothing to stop you taking advantage of virtualisation for some servers while leaving the file server that contains your most confidential data unvirtualised. And anyway, I'd point out that things weren't perfect before - an infection may spread faster in a virtualised data centre, but that doesn't mean these issues are absent from an unvirtualised one. If two servers have a network path between them, one is potentially vulnerable to intrusion from the other. It's all, as usual, a matter of risk assessment and risk management. A virtualisation project is an organisation's chance to introduce better systems management and better working practices across a server estate - an appropriate security policy is just one example of this. If you plan and implement your virtualisation properly, you can get the advantages without the disadvantages.

Amanda Smith, 8 months ago

This article points to one of the potential flaws in virtualisation. Like any IT project, it needs to be approached with caution, because for all the benefits of virtualisation - essentially, more capacity at less cost - there will also be new costs, like the additional security requirements that Lewis highlights above. At this stage though, is the threat to security such that it means those organisations with very confidential data shouldn't even consider virtualisation?

Gary Eastwood, 8 months ago

Interesting piece Lewis. So, in a sense, existing security procedures and systems really need to be completely reviewed before any virtualisation project has even started. Would you agree? And, if so, where do you start?

What's Your Question or Comment?

Name

Email Address

Your Website URL (please include http://)

Your Question or Comment

type the text from the image