Security slows the development of server virtualization

Last year, Stanford hospital in the United States moved general applications from traditional server platforms to VMware virtual machines, and found significant security deficiencies. "We have changed the nature of the IT infrastructure, but there is uncertainty about the impact of virtualization," said Mike Mucha, the hospital's information security officer. The virtual device begins to evolve into a derivative of the server component, controlled primarily by the server group, but the exchange of virtualization means that the traditional network itself has been changed. "In the virtualized world, security issues have begun to emerge, such as where to deploy intrusion detection and management systems or firewalls." Virtual machines have a very fast pace of installing and uninstalling VMS, but this speed can also have an impact on the other. Mucha that another layer of security control should be added to VMware's ESX server and management console to enhance security, mainly by inserting policy execution application devices from the startup HyTrust. The HyTrust control device controls the administrator and user decisions, and can increase the capabilities for virtual machine intrusion detection. Mucha says that when it comes to virtualization, the associated security risks have been addressed, especially when Cisco, Juniper and other traditional switch vendors introduce more advanced virtualization switching technologies. Other security experts warn that virtualization does pose new risks, but people should look at these risks correctly, especially those that belong to regulators, such as the payment card industry's data security standards, and any business that deals with payment card business needs to comply with that standard. For those who are completely inexperienced with virtualization, "If you've made your choice, I strongly recommend that you do not deploy virtualization technology for any project that needs to be compliant," Joshua, the chief security strategist at IBM's Internet Security Systems Division Corman at a recent interop conference. Joshua says that virtualization brings new attack surfaces, business, and supply risks and complex functionality (such as online migrations) that can transfer virtual machines from one physical server to another, which also poses new attack possibilities. Data center managers may be concerned that their virtual machines are being moved to a less secure server. For the use of virtualization technology in a production environment, Corman strongly recommends type 1 virtualization: Virtual bare metal that runs directly on the hardware, type 2 managed virtual: Typically used for testing and development environments. He also pointed out that the PCI DSS complicates the problem because it recommends that only one primary intelligence per server should be available, which may mean that the server should not be virtualized at all to conform to the PCI DSS standard. Recognizing the uncertainty of this matter, the PCI Security Standards Board plans to add new rules for virtualization and payment card processing by the end of the year. Safety managers in the compliance industry are treated with a very vigilant attitudeVirtualization technology. "In the current economic climate, companies are trying to save money, which is why many companies choose virtualization technology, but if virtualization can lead to high risk and security issues," says Lynn Terwoerds, a financial services company's security architecture and standards manager at Barclays Bank. These savings could lead to even greater losses. "I'm still worried about virtualization security," terwoerds at a panel discussion at the RSA Conference last month. "Recently Barclay Bank is studying the impact of the deployment of virtualization technology, the risks that play a role in banking technology decisions and the auditor has been asking," What new risks will virtualization deploy, and can you mitigate that risk in any way? " Terwoerds said it was difficult to determine the data on these issues because banks had to meet a number of data-retention regulations and SOX regulations and were not free to count the data. We also want to clearly define where the customer's data is stored, and the PCI standard is like "pouring a bucket of cold water" into the virtualization deployment. While domestic virtualization applications are not yet fully widespread today, the larger problem of virtualization is not just the technical issues that need to be understood, but how to manage suppliers and contract issues, especially when regulated by regulators. In detail, with the rapid development of IT business, as well as the increase of energy saving and consumption reduction, virtualization technology is facing more and more problems at home.