In case you all haven't noticed, there is a trend taking place that is all about building "GREEN" and "VIRTUAL" data centers which take advantage of dense computing architectures.
This trend is taking off for a number of reasons:
Multi-Core processing = More processing power for more applications on a single server
Blade Server = More servers with more processors in a smaller amount of rack space
Virtualization = More operating systems in a physical server.
Multi-Core + Blade Server + Virtualization = Green, less cost, easier managed, less space, less cooling, less power, etc. etc. etc.
I think we all get it! It has lots of advantages!
BUT... What we have created is "Dense Computing" which is putting a lot of security eggs into one basket. Imagine having a Blade Server with 12 blades in it, each blade having 8 CPU cores fitting into about 15U of rack space. You now have 96 CPU's to drive your operating systems and applications. Wow! In the old days that would have been a mainframe of sorts or some Cray Super Computer! Or in more recent times that would have been 96 rack mountable servers in your data center.
Now, take this one blade server and replicate it until you fill up a rack and replicate it some more until you fill up a row in a data center.
Now you have lots of "Virtual Servers" and "Virtual Desktops" running in a very very small piece of real estate. This is great news! All delivered by the power of multi-core processing technology, blade based computing technology and virtualization technology. Once again; Mutli-Core + Blade Computing + Virtualization = Green, less power, less rack space and uhhh..... LESS SECURE!
Why is this less secure? Well in the past you had physical servers and in many cases you segmented off your data center by having physical firewalls between servers or server groups. If all of these servers are now running in a virtual environment you no longer have the ability to physically isolate these servers and the problem just got worse because you have more density of them in a place where you can't secure them.
If you think about the example of one blade server environment with 96 CPU cores and virtualization layered on top of it, you can easily see an environment where one could get 960 virtual servers in a single blade server with 12 blades of dual quad core processors. Wow! Thats 960 virtual machines with no isolation between each other. You could possibly get some isolation between the blades "IF" you turned on some ACL's in the "Integrated Blade Server Switch" but the traffic definitely isn't going to touch your physical NetScreen or Checkpoint firewall unless you start routing traffic out of the box and back in.
People are starting to talk about the security problems caused by virtualization but I thought I'd point out the fact that the problems gets even bigger when you virtualize on multi-core and blade server environments.
Think twice on your security design before you deploy! Ask your security vendors to support virtualization!
<---Click to view
Gartner has something called the Hype Cycle and I think this problem is more than "Hype" and is something that companies should take a serious look at right away. The good news is that awareness and education in the market is taking place on this topic as indicated in this Graph showing Gartner now tracking "virtual security partitions". Thanks Niel McDonald of Gartner for paying attention to this space!
JP
Comments
You can follow this conversation by subscribing to the comment feed for this post.