Virtualisation: security benefits

Securing virtual environments may be challenging, but...

Securing virtual environments may be challenging, but proponents of the technology say it offers some compelling security benefits too. Most notable of these is the fact that virtualisation on desktops, laptops and mobile devices could give organisations the ability to tackle a pressing business problem - how to ensure employees working on devices outside their control do not compromise corporate systems.

"On a laptop, the case for virtualisation is not consolidation of workloads, it is about providing secure isolation for virtual environments. In other words, making sure people have a corporate virtual machine (VM) and a personal VM, so no matter how much malware is running on someone's personal VM, it will not penetrate the corporate one," says Ian Pratt, vice-president of advanced products at Citrix and original architect of the open source Xen virtualisation project.

Two into one

Richard Jacobs, chief technical officer at security vendor Sophos, says, "Whether it is about getting people to work from home, use mobile devices or simply about giving them more flexibility in the office, we are seeing an increasing number of organisations who want to separate their IT into managed and unmanaged environments. Virtualisation gives them a way to do that."

While security benefits are a positive selling point for client-side virtualisation, there are also security benefits to be had from server virtualisation.

Jon Collins, managing director of analyst Freeform Dynamics, says the consolidation that goes hand-in-hand with virtualisation inherently improves security. "Any consolidation exercise removes complexity from the architecture, which lowers security risks," he says.

But he cautions that organisations must avoid falling into the trap of allowing the proliferation of unmanaged VMs, or they could create a new set of problems.

Other benefits

David Jackson, senior security architect at Logica's security practice, identifies other security benefits.

First, virtualisation enables a clean image to be restored instantly over an infected environment.

Second, it lets people share systems without sharing sensitive data because each boots up in its own virtual environment.

Third, it allows easier management by giving organisations central control over time, type and level of application access provided to individual users.

Finally, it provides a 'sandbox' in which to conduct isolated testing and debugging of new applications, code and suspected malware, or for playing out other scenarios securely.

But Jackson also cautions that to gain these benefits, organisations must be prepared to manage the increased complexity involved in securing virtual environments.

"Virtualisation can make the environment more complex by adding a new layer of software that must be maintained, including performance and availability monitoring, upgrades and patches. Add to this the increased complexity of diagnosing problems and managing virtual images, and you begin to see why an unprepared enterprise can easily be sidelined," he says.

Buyers beware

The current virtualisation market can also add an unwelcome layer of complexity that might scupper any attempt to realise the security benefits.

"Vendor support for specific environments on virtual systems can be more complicated. Compatibility and support requirements may also preclude running specific virtual workloads together on a single system. Organisations need to be aware of the hardware and software requirements from both their virtualisation vendor and their other software providers and be prepared to meet them before deploying virtualisation technologies," Jackson says.

But for those which persevere (and given the other advantages of virtualisation, most probably will), the reward could be even more security benefits in future.

Suppliers are now looking at how they can use virtualisation to help organisations police networks like never before.

"The model at the moment is to put security on the desktop and certain gateways. Now people are trying to put security into the network itself, really picking up packets as they go past. Using virtualisation, we could gain much more visibility of what is happening at any given time or point on the network. We are not there yet, but it is a clear opportunity."

Top tips 
  • Use virtualisation to separate corporate and personal environments on desktops, laptops and mobile devices. This gives your business more flexibility without having to give up security.
  • The technology and market are still maturing, so be sure you have cast-iron guarantees from vendors and service providers that you will be able to achieve the security benefits you are seeking with the systems you propose to implement.

Useful links:

Read more on Hackers and cybercrime prevention