Virtualization has impacted IT in so many ways it’s hard to keep track. It’s increased ROI for many businesses, and it’s helped data centers to breathe, at least for a little while. It’s enabled IT departments to procure true expertise without having to invest heavily in training or bring on new staff to handle things.
Virtualization has also shaken up the security side of things. Here are some areas in which virtualization is raising new issues for information security:
• Server responsibility. When it was a single server for a single app, it was pretty clear who was responsible for the server. Today, things get a little bit more mixed up. Who’s responsible for a given virtual server can be up for grabs. The data center is responsible for the physical servers, but beyond that it’s messy. Is it the business unit that’s responsible for the virtual server? Is it the IT staff closest to the physical server? Is it a systems admin? The challenge organizations face is identifying and implementing a clear line of authority and responsibility for virtual server management.
• Server security and visibility. Traditionally, enterprises have relied on network controls to be able to segment off applications for purposes of security or compliance. Unfortunately, virtual servers come with something of an inherent, invisible virtual network that doesn’t have the same kinds of controls. This creates questions of security, regulatory compliance, and more. The virtualization world needs the sorts of tools available to the network world, such as firewalling, tracking, and sniffing technologies to help insure security.
• Patching and maintenance. One of the most common errors organizations make is to launch a virtual server, and then tuck the image away for future use. They then forget about the image, and make all sorts of configuration changes and implement dozens of patches. This puts the virtual server at risk in the event that a restoration is needed. You need to make sure virtual servers continually have updated images created so as to keep ahead of the patching and maintenance game.
Security in a virtualized environment is as important, if not more so, than in a traditional environment, and needs to be fully address to insure regulatory compliance and overall security.