Security BenefitsBy Baselinemag | Posted 2008-04-30 Email Print
Virtualization technology can deliver cost savings and improve IT performance, but it also introduces new security concerns. In this summary of a Burton Group report, security expert Pete Lindstrom examines the security considerations unique to virtualized IT environments.
Shared content and resources are the bane of security professionals, who spend most of their time collecting, categorizing, grouping and then separating resources in ways that make sense. Sometimes this grouping is done by business units, and sometimes it’s done by other means, such as the classification of the content.
A virtual environment can provide a way to separate program resources and content to enhance security. Shared resources also share risk at the aggregate level. Separating resources and content allows for stronger protection of higher-risk resources and reduces the overall impact of a compromise. A number of valuable uses could come out of this. For example:
- A single application or a set of applications could be run in a VM guest (or compartment) separate from all other applications.
- A consultant working for two different companies could do work for each client in a separate VM.
- An individual working on a personal computer could use one VM for business and another for personal finances and other home-related work.
User behavior can vary widely—from strong risk tolerance to strong risk aversion. Sometimes, this behavior can change quickly. Obviously, this creates a problem whereby the risk-tolerant behavior impacts the risk-averse requirements. An isolated temporary environment can provide a way to allow risk-tolerant behavior without significantly impacting the risk-sensitive resources.
One technique for virtual environments involves creating a “sandbox” VM and using it for risky activities. Assuming the content being created and the changes being made are insignificant in the long term, a user can “turn back time” to a point where the VM configuration was “known good”—typically reverting to the standard image. An obvious use for such a configuration is for shared systems, such as training systems and kiosks, to allow for maximum flexibility on the user side without creating any long-term damage.
The sandbox scenario also provides an obvious case in which streamlined recoverability is useful. In fact, the more frequent the reversion to a known-good state, the lower the potential for harmful consequences.
VMs also can be multiplied and distributed in many different ways. This flexibility is a boon to disaster recovery specialists looking for ways to increase availability. Maintaining replicated environments that are physically separate and creating images that can be recovered quickly contribute to the overall availability of the resources.