Do Business Applications Need Protecting In A Virtual World?

Some industry experts have claimed that there are still business applications that should not run on virtualised servers.

This is surprising as Gartner comments in its research note that “several interrelated trends are driving the movement toward decreased IT hardware assets, such as virtualisation, cloud-enabled services” but the adoption of virtualisation, though widespread according to multiple surveys, still comprises less than 40 per cent of all servers in the data centre today (CDW's Server Virtualisation Life Cycle Report, January 2010 and F5 Networks’ Trends in Enterprise Virtualisation Technologies, 2009).

The need for improved agility and the increasing cost and complexity of IT, has driven many businesses into swiftly adopting virtualisation technologies. While some virtualisation experts claim that virtualised computing environments are less secure than physical computing environments, others claim that virtualisation can enable better security.

Both claims can be correct, but in reality when information security controls are improperly implemented or neglected in virtual environments, real security risks are exposed. These are the potential pitfalls of virtualisation, but the good news is that they don’t have to stop the technology being implemented. Another growing trend alongside virtualisation is delivering applications via the cloud as this reduces cost and moves application headaches outside the business. However, this does not come without risk.

Essential protection
The benefits of virtualisation are obvious. But every technology implementation needs to be weighed up in terms of the potential challenges and benefits, and virtualisation is no different.

Security administrators and those who manage virtualisation, predominantly server managers, need to understand phrases such as ‘hardened operating system,’ ‘walled garden,’ and ‘network segmentation’ in the one-box-for-one-application world, as well as prepare for the new threat arena for distributed and targeted attacks. The need to understand these threats only increases as more elements of the network become virtualised and convergence blurs the boundaries between storage and server networks.

To completely protect a virtual environment many questions need to be addressed, including:
• How current analysis, debugging, and forensics tools will adapt themselves to virtualisation?
• Which tools will be necessary for security administrators to master between all of the virtualisation platforms?
• How will patch management impact the virtual infrastructure for visitors, hosts, and management subsystems?
• Will new security tools, such as hardware virtualisation built into CPUs, help protect the hypervisor by moving it out of software?
• How will security best practices, such as no-exec stacks, make a difference once fully virtualised?

These are all questions that need to be addressed before the enterprise world moves full-on into virtualisation. More than anything, we should be thinking today about where virtualisation security will take us tomorrow. We all agree that virtualisation is here to stay, but those implementing need to make sure they stay ahead of the threats and think about virtualised threat vectors before attackers have already coded for them.

Optimising Virtual Infrastructures
In addition to security concerns, leveraging the optimisation capabilities of modern load balancers – or application delivery controllers - is another way of making virtual infrastructure more efficient, as it increases virtual machine density and cancels out the impact of virtualisation overhead on application capacity and performance. Given that almost every cloud provider utilises some form of modern load balancing solution and can easily enable these optimisation capabilities, it seems unlikely that the lack of virtualisation awareness in applications would be detrimental to cloud computing adoption in the long run.

In fact, the ability to leverage both traditional and virtual resources, thus combining the local data centre with cloud computing resources, would seem to be a bonus to businesses seeking to address capacity concerns without moving their entire infrastructure to an external entity. The ability to optimise through solutions required to implement a cloud computing infrastructure ensures that organisations moving to an internal cloud deployment are not forced to essentially “rip and replace” their entire infrastructure to support virtualisation-aware applications, but to leverage the virtual infrastructure and assist server managers with the challenges of a virtual world.  

-- Owen Cole, F5 Networks, Technical Director, UK & Ireland

F5 Networks is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk