The first point is the statement that 60% of virtual servers are not as secure as the physical servers they replace and that’s not going to change until 2015. Really? Unfortunately, the articles don’t supply any basis for that claim or what is supposedly going to change in the next 5 years to change that. Gartner’s issue seems to be not having “information security professionals” involved in the virtualization project so it seems this number is based on project methodology and not a real analysis of virtual servers in the wild. Take this number with a HUGE grain of salt.
The second point is that supposedly the hypervisor (the core of the virtualization and cloud computing system) is a new platform that introduces new vulnerabilities and ones that havn’t been discovered yet. I’m not sure how they get “new” when the popular Xen hypervisor has been around for 7 years now.
It is certainly true that hypervisors may contain undiscovered vulnerabilities. Of course, so does almost any piece of software that touches the Internet (take a look at any of Microsoft’s bugfests). If you refused to use a piece of software unless it was guaranteed perfect, you’d never use any software at all.
The idea that network security appliances can’t see virtual machine to virtual machine traffic on the same physical host is simple to resolve with proper network design. The claim that virtual machines can’t be adequately separated is just plain odd. The blanket statement that the physical servers can’t provide adequate access control to the administrative interface is baffling.
Finally, there’s the “risk” that combining virtual servers on the same physical server can result in unauthorized access to data. Nobody ever provides a specific example of this claim, just a vague “well it COULD happen”. I would suspect that, since there’s a huge amount of virtual server and cloud computing being used (Amazon EC2 for example), if there was a major chance of this happening, we’d have already seen it.
So, what si the REAL virtual server or cloud computing security risk? The same thing it’s always been, bad system admin practices (understrength passwords, poor quality passwords, not updating buggy software), just exactly the same as it is for physical servers. It’s far more likely that a security breach of a virtual or cloud computing server is going to come from outside, just exactly as it would for a physical server.
Follow good administration practices, standard security practices for the virtual and control domains (Dom0 and DomU in Xen terms) just like a physical machine, and keep all software patched and up to date including the virtual machines and the hypervisor, and stop dreaming up boogeymen in the data center closet.
Email or call me or visit the SwiftWater Telecom web site for cloud computing services and green data center services and sleep well at night.