Security Issues with Cloud Computing Virtualization - dummies

Security Issues with Cloud Computing Virtualization

By Judith Hurwitz, Robin Bloor, Marcia Kaufman, Fern Halper

Using virtual machines complicates IT security in a big way for both companies running private cloud computing and service providers. Virtualization changes the definition of what a server is, so security is no longer trying to protect a physical server or collection of servers that an application runs on. Instead, it’s protecting virtual machines (or collections of them).

Because most data centers support only static virtualization, it isn’t yet well understood what will happen during dynamic virtualization.

Network monitoring with cloud computing

Current network defenses are based on physical networks. In the virtualized environment, the network is no longer physical; its configuration can actually change dynamically, which makes network monitoring difficult. To fix this problem, you must have software products (available from companies such as VMWare, IBM, Hewlett-Packard, and CA) that can monitor virtual networks and, ultimately, dynamic virtual networks.

Hypervisors and cloud computing security

Just as an OS attack is possible, a hacker can take control of a hypervisor. If the hacker gains control of the hypervisor, he gains control of everything that it controls; therefore, he could do a lot of damage.

Configuration and change management

The simple act of changing configurations or patching the software on virtual machines becomes much more complex if the software is locked away in virtual images; in the virtual world, you no longer have a fixed static address to update the configuration.

Perimeter security in the cloud

Providing perimeter security, such as firewalls, in a virtual environment is a little more complicated than in a normal network because some virtual servers are outside a firewall. This will be the responsibility of the service provider.

This perimeter security problem may not be too hard to solve because you can isolate the virtual resource spaces. This approach places a constraint on how provisioning is carried out, however.