Servers use only a small percentage of their capacities to store data or run applications. Virtualization technology allows multiple applications to run side by side on the same machine. This allows companies to consolidate as many as 20 servers into one machine that could be running databases, e-commerce applications, and a Web server simultaneously.
The return on investment is clear just from hardware costs and lower electrical costs (an estimated 2.5 percent of all U.S. power consumption is for data centers). At the same time, virtualization allows new servers to be put into a production environment very quickly, helping to realize savings on time and manpower.
But virtualized environments face the same threats as physical environments, plus some unique challenges. Jason Yuan, group manager for product management, at security firm McAfee told us that companies looking to realize cost savings by storing data virtually need to be aware of these risks.
"One of the benefits of virtualization is being able to create a disaster-recovery backup ," Yuan said. In fact, creating a backup can be done with nothing more than a right-click of the mouse. The backup image is typically stored offline on network -attached storage (NAS) or a storage-area network (SAN) until it's needed, then it's plugged directly into the production environment. That's where trouble lies.
"On the day of the backup there might not be a vulnerability, but six months later there may be some vulnerability that was uncovered in that operating environment or the applications that are running," Yuan explained. If that happens, the network becomes attackable the moment it's brought online. Yuan has seen it happen; a backup that had a vulnerability that didn't exist three months earlier was brought online, and was immediately infected by a worm that shut down thousands of machines.
"Virtualization requires the same security as a physical system," Yuan said, including antivirus, intrusion-protection and intrusion-detection systems. It also poses some unique threats. For example, the virtualization application itself is software that can be attacked. "Last year, the number of vulnerabilities associated with the virtualization environment doubled compared to 2006," Yuan noted. (continued...)