Skip to content ↓ | Skip to navigation ↓

By: Mark Gaydos

I was reading an article in InformationWeek called Time To Halt VM Sprawl. And the question I pondered was “are virtual servers less secure or are the processes surrounding virtualization less secure”? After thinking about this I realized it doesn’t really matter!Not Virtualization

Most of the bloggers, press and pundits I read say that virtual servers are just as secure as physical ones. However, if the processes used to manage virtualization are inherently less disciplined and more dynamic, AND result in less secure processes, it really doesn’t matter. Virtualization is then less secure than physical counter parts. You can point at the people and say it’s their fault, which is no doubt true, but if the technology requires new levels of discipline and process than that better be acknowledged.

The saying that guns don’t kill people…. people kill people came to mind. Sure, virtualization may be secure but if people can do more crazy (read non-secure) things with the technology than IT management better belly up to the bar and accept this…………. and put processes in place. Just like guns need special handling maybe so does virtualization. It’s about respecting the power of our inventions.

Tripwire CCM Express Free Trial
  • Preventing virtual server sprawl is important, as attack surface issues arise.

    But there is one feature of virtualization that can help with security.

    Once you have a highly secure server configuration – you can simply spawn copies of that for creating new hosts.

    That can greatly aid in deploying secure servers.

    Historically, without "ghost" or "imaging" software, most servers (in my experience) were created one at a time…

    Unless the person building the box had sufficient training and documentation, the chance of a configuration option being improperly set was pretty high.

    I encourage the creation of standard machine templates for different server types (file server, web server, sql server, etc). Secure them like crazy, and then spawn new instances when servers are needed.

    That said, we have to go back to your initial point. Processes and Procedures must surround when/where/who can create a new instance.

    Final point – virtual servers are not suitable for real time processing, so if an administrator fails to head that reality, they can create an "insecure" state by running RTS applications in a VM and risking the results.