Securing virtual environmentsmay be
challenging, but proponents of the technology say it offers
somecompelling security benefitstoo. Most
notable of these is the fact that virtualisation on desktops,
laptops and mobile devices could give organisations the ability to
tackle a pressing business problem - how to ensure employees
working on devices outside their control do not compromise
corporate systems.
"On a laptop, the
case for virtualisation is not consolidation of workloads, it
is about providing secure isolation for virtual environments. In
other words, making sure people have a corporate virtual machine
(VM) and a personal VM, so no matter how much malware is running on
someone's personal VM, it will not penetrate the corporate one,"
says Ian Pratt, vice-president of advanced products at Citrix and
original architect of the open source Xen virtualisation
project.
Two into one
Richard Jacobs, chief technical officer at security vendor
Sophos, says, "Whether it is about getting people to work from
home, use mobile devices or simply about giving them more
flexibility in the office, we are seeing an increasing number of
organisations who want to separate their IT into managed and
unmanaged environments. Virtualisation gives them a way to do
that."
While security benefits are a positive selling point for
client-side virtualisation, there are also security benefits to be
had from server virtualisation.
Jon Collins, managing director of analyst Freeform Dynamics,
says the consolidation that goes hand-in-hand with virtualisation
inherently improves security. "Any consolidation exercise removes
complexity from the architecture, which lowers security risks," he
says.
But he cautions that organisations must avoid falling into the
trap of allowing the
proliferation of unmanaged VMs, or they could create a new set
of problems.
Other benefits
David Jackson, senior security architect at Logica's security
practice, identifies other security benefits.
First, virtualisation enables a clean image to be restored
instantly over an infected environment.
Second, it lets people share systems without sharing sensitive
data because each boots up in its own virtual environment.
Third, it allows easier management by giving organisations
central control over time, type and level of application access
provided to individual users.
Finally, it provides a 'sandbox' in which to conduct isolated
testing and debugging of new applications, code and suspected
malware, or for playing out other scenarios securely.
But Jackson also cautions that to gain these benefits,
organisations must be prepared to manage the increased complexity
involved in securing virtual environments.
"Virtualisation can make the environment more complex by adding
a new layer of software that must be maintained, including
performance and availability monitoring, upgrades and patches. Add
to this the increased complexity of diagnosing problems and
managing virtual images, and you begin to see why an unprepared
enterprise can easily be sidelined," he says.
Buyers beware
The current virtualisation market can also add an unwelcome
layer of complexity that might scupper any attempt to realise the
security benefits.
"Vendor support for specific environments on virtual systems can
be more complicated. Compatibility and support requirements may
also preclude running specific virtual workloads together on a
single system. Organisations need to be aware of the hardware and
software requirements from both their virtualisation vendor and
their other software providers and be prepared to meet them before
deploying virtualisation technologies," Jackson says.
But for those which persevere (and given the other advantages of
virtualisation, most probably will), the reward could be even more
security benefits in future.
Suppliers are now looking at how they can use virtualisation to
help organisations police networks like never before.
"The model at the moment is to put security on the desktop and
certain gateways. Now people are trying to put security into the
network itself, really picking up packets as they go past. Using
virtualisation, we could gain much more visibility of what is
happening at any given time or point on the network. We are not
there yet, but it is a clear opportunity."
| Top tips |
|---|
- Use virtualisation to separate corporate and personal
environments on desktops, laptops and mobile devices. This gives
your business more flexibility without having to give up
security.
- The technology and market are still maturing, so be sure you
have cast-iron guarantees from vendors and service providers that
you will be able to achieve the security benefits you are seeking
with the systems you propose to
implement.
|
Useful links: