I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?

Virtualization technology is being applied across multiple IT silos: servers, applications, storage and networks. In every one of these domains, virtualization hides the physical infrastructure behind an abstraction layer and provides encapsulation of logical instances. When you're looking for the root cause of a fault or a security alert you need to lift the veil and see behind the virtualization layer. This sounds a lot easier than it is in practice. (Read a Network World test on virtualization wares from VMware and Microsoft.)

On top of the abstraction layer, virtual infrastructures are often very dynamic. Live migration technology (such as VMotion or XenMotion) allows virtual machines to move from host to host in near-real-time. On top of live migration there are other layered features like dynamic resource pools and high availability clusters. Together, these create an environment where virtual machines may move automatically to rebalance a load, reduce power consumption or in reaction to a hardware failure. Similar dynamic moves may be occurring in a virtual storage environment and (storage re-allocation) and in the network (load balancing, virtual LAN allocation). In a large virtual server pool this could create an almost constantly changing environment.

Furthermore, security operations must deal with an environment where servers come into existence and are decommissioned at an accelerated rate. Sine virtualization allows admins to virtually build, rack, run and decommission a server in a matter of minutes, the life cycle of a server becomes shorter. Servers evolve from being enduring and tangible to fleeting and ethereal. How do you troubleshoot or forensically analyze a server that only existed for a day? Where do you find its logs, its configuration?