Sep 14 2012

Sorting Out the Truths and Myths of Virtualization Security

Not everything you hear about virtualization security is right.

When a technology trend becomes a buzzword, it’s easy for the legend to become a bit outsized with the reality. Virtualization, often touted for its efficiencies and cost savings, is one of those technologies that people tend to exaggerate either positively or negatively, depending on their perspective.

In an effort to provide some clarity and put to bed some outright fables about virtualization security, Neil MacDonald, a Gartner vice president and fellow, laid everything out in a post on his Gartner blog.

Here are three of the virtualization security myths he helped dispel:

1) Myth: Physical is better than virtual.

Reality: Define “better.” Software and virtual appliance–based security controls are more adaptable to the rapidly changing infrastructure requirements of a modern, virtualized data center. A recent case study by Intuit at VMworld documented the time to secure a VM being provisioned dropped from 30 days to 30 minutes using software-based and automatically provisioned security controls.

2) Myth: Physical security control provides better separation of controls than virtual.

Reality: This confuses physical separation with logical separation. Role-based access control to security control functionality, as well as the use of a separate security and management control plane, provides the necessary separation of duties. A related myth is that infrastructure can’t protect infrastructure: Sure it can — and quite well.

3) Myth: Physical security appliances are faster than virtual implementations.

Reality: Yes and no. You might think of security as the serialized application of security policy enforcement at ‘choke’ points in the network (like placing an IPS at the perimeter of the enterprise or a next-generation firewall at the perimeter of the data center). The mistake in this thinking is the rationing of security policy enforcement based on physical network topology. Some of this is caused by the cost of physical appliances. Some of this is a byproduct of physical network topology. In both cases, challenge the assumption that placing big boxes at aggregation points is the best architecture. Parallelize the security policy enforcement closer to the workloads they are protecting using hypervisor-based or virtual appliance–based security controls.

What other virtualization security myths have you had to shatter in your organization?