Problem solve Get help with specific problems with your technologies, process and projects.

Virtual server policy is key to mitigating systems vulnerabilities

Server virtualization is relatively new and has not been hardened against serious attacks. Managers need to prepare policies and supporting processes for managing this environment.

Virtualization has been identified as a critical new technology by 11 out of 10 IT industry oracles. There can be little doubt that there is and will be a deluge of information forthcoming about virtualization; how and when to use it.

Indeed, there already has been a lot of press concerning the threats represented by the spread of virtualized devices. You can count on a lot more as pundits, vendors and the media crank up the panic rhetoric. As a result, new products targeted at the spread of virtualization, its management and application are flooding the market. Let's examine virtualization fears that may be justified.

More on virtualization in the data center:
Managing server virtualization complexity

Data center consolidation, virtualization: Ultra-dense server deployments 

Virtualization in the data center fast guide

Virtualization layers pose concern
There is no doubt that some potential pitfalls exist in the implementation of virtual servers. The virtualization layer is, in reality, another operating system. And, as such, it is vulnerable to attacks. Furthermore, virtualization in the data center (except for mainframes) is relatively new. This means it has not been subjected to and hardened against serious attacks. However, vendors are aware of the potential problem and are working hard to identify and harden their products.

Common sense tells data center managers to monitor and attentively manage vendor alerts, warnings and updates. Care will have to be taken to assure the integrity and robustness of the partitioning and separation protecting user space. At risk is an attack against the host operating system by the client operating system. Again, the vendors are working here to build internal protections (e.g. software firewalls.) There are other specialized attacks to worry about, but we feel the real threat comes from another source.

Nothing like the real thing . . . for security
The biggest threat of virtual servers comes from their most significant advantage. Because they are not physical machines, they cannot be secured the same way. Asset tracking, maintenance, configuration control, security and compliance all require special consideration, handling and processes.

Virtual device operational and compliance management is multi-faceted. Some aspects are traditional, such as management of the actual virtualization process, while others are new. For example, virtualization requires management to assure detailed configuration tracking of virtual machines that may have been removed from service. VMs may need protection against re-infection by activation of a long-ago retired virtual machine whose inheritance line was infected with a serious virus.

Understanding and managing virtual servers
This all sounds serious -- and it is. But data center operations can take steps to prepare, protect and manage its obligations with respect to virtual servers. First and foremost, understand the current state of virtualization in your data center. How many virtual servers are in your environment? How they are being used/maintained/operated, etc.

Think about and prepare policies and supporting processes for authorizing, creating, maintaining, configuring, provisioning, tracking, retiring and re-activating virtualized servers. Outline how long should a virtual server operate, under what conditions is it retired, who is responsible for enforcing the policy, where and how do you retain configuration and provisioning records on retired machines for compliance, for example. Furthermore, what are the compliance requirements for virtualized servers?

Lastly, start learning about the issues for managing virtualized servers not simply for operational issues like performance, priority, configuration, etc. but review and understand the issues we've just discussed. Of course, you should look to your major vendor partners like IBM, VMware, BMC, etc but don't forget emerging players like Embotics Corporation ( They offer a portfolio of solutions to maintain oversight and manage operation of VMs as well as providing thought leadership about the problems around retiring VMs.

Comments? Questions? Disagreements? Corrections? Send your thoughts and comments to Richard Ptak

ABOUT THE AUTHOR: Richard Ptak is an analyst with Ptak, Noel & Associates. He has over 30 years experience in systems product management.

Dig Deeper on Virtualization and private cloud

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.