Appreciating the Complexity of Virtualization Security

A lot of people seem to be under the impression that virtual servers and desktops are secure environments because virtualization inserts a layer of software between the underlying operating system and the applications running on top of them.

That’s an understandable sentiment because it’s always been assumed the operating system was the most insecure element of the environment. But it's not true: Now that most security threats target applications, the operating system isn’t the issue. In fact, if anything, virtualization just serves to expand the attack surface by allowing IT organization to run more applications than ever.

In a webinar that can be found here, Dan Reis, product marketing manager at Trend Micro, notes that security-wise there is a lot that can go wrong in a virtual environment, including attacks between virtual machines, forgetting to patch applications on dormant virtual servers and the formation of antivirus storms.

As IT environments become more complex, it stands to reason that security will become more difficult to maintain in a world where the ratio of administrators to systems needing to be secured is increasing daily. Unfortunately, enthusiasm for virtualization specifically and cloud computing in general is leaving security behind, which means the processes for applying and maintaining security are falling behind, especially when agile development methodologies are increasing the number of new applications being developed and updated more quickly than ever.

In fact, a crisis over how security is managed already may be upon us. But in the rush to embrace the next great thing in enterprise computing, security once again is being treating as an afterthought.