There have been many concerns over the years about security within a virtual environment. Many incorrectly believe that just because the environment is virtual, the environment itself must inherently be secure. Not true. Virtual environments for the most part suffer from the same security concerns as does the physical environment.
As well, there are those in a different camp who believe that introducing virtualization into an environment fundamentally changes the very idea of security. Also not true. Sure, it changes things. The hypervisor adds a new layer of possibilities for security concerns, but it doesn't have to be a landslide of issues. It's just like adding any other new component into the environment -- architects and systems engineers need to properly educate themselves on the new component and then go through a thorough planning phase on its implementation.
[ Related: "VMware's take on security expands with vShield Zones." | Track the latest trends in virtualization in InfoWorld's newsletter. ]
In order to find out more about virtualization security concerns, I met with a well known and outspoken security individual, Edward L. Haletky, president of AstroArch Consulting, DABCC analyst, VMware Community expert, and published author.
InfoWorld: What's the most common security mistake made when setting up VMware VI3?
Edward Haletky: Using a flat virtual network that does not account for the differences between security zones.
InfoWorld: And are security concerns addressed with the coming VMware vSphere 4 product that might have been missed with VMware VI3?
Haletky: A few. VMsafe will make using security tools more efficient. However, most if not all the improvements also increase the attack surface area.
InfoWorld: So what do you think about the new VMsafe API? How will it change things?
Haletky: VMsafe will radically change virtualization security, it will now allow for tools to be built that can see the entire virtualization host. With virtual networking for example, you needed one agent for every three virtual switches, now you need one agent per VMware ESX/ESXi host. However, use of VMsafe aware applications will also increase the attack surface areas to include the virtual appliances running the agents. So using a flat virtual network for virtual machines should no longer be done.
