"To my knowledge, there has never been a hack that has allowed a security problem to propagate from one virtual host to another by way of the hypervisor technology," says Steve Ross, a consultant with Catapult Systems, which is helping logistics provider Transplace deploy and maintain its VMware virtual environments.
"It could happen, and the attacker or breach could hop from [virtual machine] to [virtual machine], but I have yet to see it as a functional exploit out there today," adds Tim Antonowicz, systems engineer at Bowdoin College.
Antonowicz, who uses VMware ESX to virtualise servers, says he tries to thwart such problems by sequestering virtual machines in resource clusters, depending on the sensitivity level of the applications or data the virtual machine is housing. "You have to segregate machines in that manner to heighten security," he says.
Edward Christensen, director of technical operations at Cars.com in Chicago, also is taking steps to insulate his company's virtual environments.
"The old-school ways of securing an environment involve putting firewalls between the database and application layers, for instance, but when you have a virtualised environment, those lines get crossed," Christensen says. The online automotive company uses VMware to virtualise servers on HP boxes, and Christensen says being able to store virtual environments off the network helps ease security worries. "It's one of the nice things about virtual environments," he says.
2. Virtual machines multiply patching burdens
The threat of virtual-server sprawl, a scenario in which the ease of deploying virtual machines results in more instances than planned, makes staying on top of patches and updates for operating systems critical in a virtual environment.
"Patching becomes more challenging, because these [virtual machines] move around, and they multiply," Burton Group's Lindstrom said. "The ability to validate the patch status on individual machines becomes more important in the virtual world."
IT managers agree patching is critical in virtual environments, but the real difference between virtual and physical server patching isn't a security issue, it's about volume.