Virtual environments demand new approaches to security

Early adopters are excited by the new security options in VMware's recently released vSphere "cloud OS", but there's still no shortcuts when it comes to creating appropriate security policies for virtualised environments.

At the rollout event for the new vSphere in Sydney last week, VMware customers said that while it offered useful new options for creating a more secure environment, security in the cloud remained a challenge.

One key feature of vSphere is "vShield Zones", which allow security policies to travel across application sets while operating across multiple virtual machines.

"We've really been focusing on the management aspects of it," said Glenn Gore, chief technology officer for Melbourne IT. "We've found from the beta program that managing these big complex environments is much easier."

"vShield is one of the big silent advantages of vSphere. What vSphere lets you do is take a virtual firewall and wrap a virtual machine with it. vShield makes it obvious how much intra-virtual machine traffic is going on."

"vShield creates a layer between the virtual machines on that network. As you move that load around the data centre, that keeps following that VM around. That's virtually impossible to secure with traditional approaches as staff couldn't manage it." But it's now a common scenario for Melbourne IT: "Of our thousand VMs, well move 30% within 24 hours," Gore said.

Beta testers see improved security and management as a major benefit of the latest release. The Australian Bureau of Statistics (ABS) is planning to fully migrate to vSphere this month. It runs 1500 virtual servers, and has reduced its load of physical servers from 300 to 70.

"The only reason we're running 70 servers is because our gateway's virtualised," explained Tony Marion, director of servers, operating systems and storage at the ABS. "With vShield there's physical separation and we've probably got more servers than we actually need."

But those improvements don't mean that security isn't a major headache. "Security is getting more difficult by the day really" Marion said, though he noted that virtual environments did simplify some issues. "In some ways its actually easier with the virtual machine because it's easier to manage; you know where it all is, and it's not separated. Half of our testing has just disappeared because we don't have to run two applications together. That's one of the huge efficiencies you get."

"Security within the VM is in some ways no different to a physical model. You still need firewalls and good practice with virtual switching." Indeed, getting the zones to work fully requires support at the hardware level (Cisco has already signed up to interoperate its switches with the software.)

Security for the cloud has become a major talking point recently, with the Cloud Security Alliance this week outlining 15 key issues that need to be considered in order to adequately secure cloud environments.