Virtualisation security is not just about securing the virtual network, nor is it just about securing the virtualisation server operating system.
It is about realising that a virtualisation server is a hybrid device, whether it be VMware Virtual Infrastructure 3, VMware Server, VMware Workstation, Citrix XenServer or Microsoft Hyper-V.
Virtualisation servers are a mix of a hypervisor device (OS), a networking device (bridge or switch) and a storage interface.
Currently, security folks know how to harden an OS and/or they know how to protect a network bridge or switch appliance. Few know how to do both simultaneously, or how to deal with the hypervisor as a complicating factor.
Do you need a high priced virtualisation security expert to do this? These experts are few and far between and you probably don't need them. What you do need is the ability to pool all your security expertise in one group and educate them on the realities of virtualisation. You need to remove the barriers and fiefdoms that spring up around IT and let these folks work together.
There is often a combative and not synergistic approach when groups deal with virtualisation administrators.
For example, it can be tough getting storage teams to properly layout the LUNs (logical unit numbers) involved with virtualisation servers; getting network administrators to set network speeds and configure ports for virtual-server hosts, or even getting OS security administrators to understand what tools they actually need instead of requesting unnecessary access and applications.
The combative nature that prevents this kind of cooperation often stems from not only organizational issues, but also the need for a virtualisation administrator to act as an administrator for storage, security and networks.
Since a virtualisation server covers all three areas, virtual-server administrators need to fully understand all three, or have the help of teams from storage, security, network, and operations. While it may be possible for one person to learn everything in these arenas, it is better to utilize the existing expertise.
The answer to fixing this IT staff problem: Educate all IT teams in the realities of virtualisation. Virtualisation is here to stay; it is not a fad; it is a reality. Whether this is by purchasing virtualisation books for your IT teams, or by providing training for your team members, somehow all teams need to speak the same language, and this includes the virtualisation administrator.
The virtualisation administrator is the glue that makes it all possible, so he or she also needs education in order to speak the language used by the other teams. Otherwise, you get the 'You do not know what you are talking about' approach to teamwork.
Education must start at the top. Most C-Level people employing virtualisation already understand the benefits. But the top IT people within a corporation must have more technical training.
Specifically, security specialists must understand how VMs are different from physical servers or security decisions will be based on outdated and inaccurate information. Fixing those mistakes requires expensive help in the form of one of the few available big-gun virtualisation security consultants.
The IT playing field has shifted to a more integrated world where IT fiefdoms and protections are no longer valid and should be dismantled.
To me, not learning all you can about virtualisation is a career-limiting move.
Virtualisation expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualisation Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualisation, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualisation, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.