The uptake of Software-as-a-Service applications such as salesforce.com, and the success of IT service outsourcing demonstrate how centralised remote computing approaches can also provide more efficient ways to deliver technology resources to users, helping cloud computing to gain greater buy-in from corporate decision-makers. But as the industry moves towards a new IT infrastructure play, what are the implications on IT security?  

Why should security professionals be concerned?
According to research from Gartner, around 16 per cent of all servers within enterprise IT environments are now virtualised, and the firm expects this to increase to around 50 per cent by 2012. The market leader in this space, VMware, now has over 150,000 customers. Microsoft's virtualization product Hyper-V is effectively free with the latest version of Windows Server, encouraging take-up of the technology and making it more accessible to the smaller business.

With any technology that is growing in importance to enterprises of all sizes, it is expected that malware writers will attempt to attack the virtualised environments, either to hijack workloads or steal critical data. An example of how virtualization is being considered alongside security is the Payment Card Industry's Data Security Standard, where a Special Interest Group has been set up to discuss the role of virtualization within retailers’ networks, as well as how this has an impact on protecting credit and debit card payment data.

There are three main attack targets on a virtualised environment:

- The virtual machine workload, which will consist of an OS, applications and data, similar to a traditional server workload;
- The hypervisor itself;
- The management APIs that are used to control the virtual machines and integrate with other IT management products.

For the security team, the biggest issue facing them is often not being involved in the implementation of virtualization in the first place. As this technology has often started life in test and QA environments, it has not been part of security's remit. As the use of virtualization spreads into more production environments, security has to be a core concern. This includes evaluating business continuity aspects, as the proportion of workloads affected by an outage or virus attack will be much higher in a consolidated environment.

The first consideration is that traditional security skills are being applied to the virtualization environment. This can be more difficult, as virtual machines can move around the IT estate as business demands and workload priorities evolve. The emphasis has to be on planning and awareness of the possibilities that this shifting environment represents. Keeping the virtual and physical network traffic separated through use of VLANs is the first step, followed by implementing Intrusion Prevention and firewall systems that can monitor and inspect traffic between the virtual machine host servers. For organisations that are looking at desktop virtualization, rolling out anti-virus within the guest machines is still a necessary step, even though virtualising the session makes any patching or virus clean-up much easier and faster.

The next consideration is how virtualization can potentially improve security planning and execution. As virtual machines are isolated environments, it makes it easier to run multi-tenant environments where separation is required, even on the same hardware. This is particularly useful for managed service providers, where virtualization allows them to host more customers on the same amount of physical kit.

New approaches to security in a virtualized environment
Hardened virtual appliances, which are purpose-built virtual machines for a specific task, are also becoming more popular with organisations, as they can help the security function to benefit from the same results around virtualization as the rest of the business. A research report from IDC in December 2009 stated that virtual security appliance budget allocations will continue to grow over the next year to 18 months, as the Total Cost of Ownership results are better than using separate point software products or dedicated hardware.

The other area where new approaches to security are being considered is the cloud. Cloud computing can mean different things to different people, but the most common definition is using the Internet to deliver a reliable service to users, where the amount of that service can be scaled up or down depending on demand. This flexibility, coupled with a “pay-as-you-go” billing model, makes it attractive to organisations where capital expenditure is heavily reduced or where it is hard to get budget sign off.

The potential for cloud computing is huge, as it can make IT service delivery more efficient and cost-effective. However the cloud faces several major hurdles, the biggest of which is around security. As data will be moving out of the company's direct control, security and privacy concerns are significant, especially in those industries where regulations on data retention and ownership are in place. Establishing the cloud as a trustworthy platform for the business will be an ongoing concern, no matter how attractive the potential savings. 

The biggest issue to remember is that all the data involved is yours. Even though it may be residing on another company’s storage, it is the responsibility of the customer to ensure that it remains secure. Due diligence on the cloud provider and continually asking questions about how your partner or potential provider keeps their network secure is essential. Visiting the data centre personally can be another step in building trust. If moving completely into the cloud does not suit the business, then taking a trusted partner that can manage the systems on your premises remotely can be a suitable ‘halfway house’ that can deliver the cost benefits of full cloud, while retaining some control.

Software-as-a-Service providers have already made some headway in demonstrating how trust and security around data can be gained. As this process continues to gather steam, security providers are also looking at how the cloud can make procedures more efficient. Examples of where cloud-based services can be effective include email archiving and web security, as the value for the organisation is in managing the process efficiently, rather than hosting the products or service on-site.

As organisations roll out further virtualised infrastructures or move their workloads into private and/or public cloud environments, the security team has to be involved in establishing best practices around these shifts in strategy. What virtualization and cloud can provide to the business in tandem with security is more efficient management and automation of non-critical IT functions. In an age where IT resources are more stretched than ever before and the pressure is on to deliver better results on static budgets, this represents a significant opportunity to deliver the results that businesses need in order to remain competitive. As these technologies move into production, the right security planning can ensure that the use of virtualization or cloud computing actually deliver the promised benefits.