On CNet’s news blog, there is a great article by Jon Oltsik on “The real issue around server virtualization security.” The article notes that there is a lot of hype around doomsday risks like people hacking a VM or hypervisor and gaining access to some important resource or data.
So why are people worried about lower probability things?
“…what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry–lack of control.”
I’ve long held the belief that the 80/20 rule applies in IT and that the majority of your problems will come from the simple issues in life, and system management is no different. Of course, these same issues exist in physical infrastructure, as well, but virtualization’s agility amplifies weaknesses in process, controls, and policies.
What that means is that that the lack of visibility and control mechanisms will typically “cost” a company more than any security issues – and they’ll cost you every day.
Is security important? Sure, but good security is more a by-product of well-designed, well-integrated processes and controls, and not a standalone discipline.
I think Oltsik sums it up nicely:
“If users focus on sound server virtualization policies, controls, operations, and safeguards, rather than the virtual security bogey man, they should be able to reap the benefits of server virtualization without a substantial increase in risk.”
Does this ring true in your organization? Is your virtualization security integrated, or its own silo?