Virtualization technology, which allows multiple operating systems to run different applications on a single computer, has caught the attention of IT managers for its promise to let them better manage and utilize corporate IT resources.
However, some IT managers and security researchers warned that the emerging technology also makes corporate systems far more vulnerable to hackers.
Chad Lorenc, information security officer at a financial services company that he asked not be named, said that IT security and compliance projects are far more complex undertakings on virtual machines than on servers that run a single operating system and a single application.
"It is a very complex issue," Lorenc said. "I'm not sure you are going to find a single solution" for addressing security issues in a virtual environment.
"There is no silver bullet," he added. "You have to tackle security from a people, process and technology standpoint."
Virtualization technologies allow companies to carve out multiple virtual machines within a single physical resource, such as a server or storage array.
Each virtual machine runs a separate operating system that runs its own applications, functioning exactly like a stand-alone computer.
The technology allows companies to consolidate applications running on multiple computer systems into a single server, which promises to ease management requirements and allow hardware resources to be better utilized.
Analysts noted that the technology has been around for several years, but IT organizations started to increasingly use it as new virtualization systems emerged in recent months from companies like Intel, Advanced Micro Devices, VMware, Microsoft and IBM.
But as the technology spreads, it's important that IT managers understand that collapsing multiple servers into a single box does not change their security requirements, said George Gerchow, technology strategist at security vendor Configuresoft's center for policy and compliance.
In fact, he said, each virtualized server separately faces the same threats as a traditional single server.
"If a host is vulnerable, all associated guest virtual machines and the business applications on those virtual machines are also at risk," he said.
Therefore a server running virtual machines faces more danger from a single exploit than a single physical server, Gerchow said.
He noted that virtualization software allows developers, quality assurance groups and other corporate users to set up virtual machines with relatively little effort, and without IT oversight.
Such virtual machines can pop up, move across systems or disappear entirely on an almost constant basis if IT managers don't take measures to maintain control of each of them.
"IT departments are often unprepared for the complexity associated with understanding what virtual machines exist on servers and which are active or inactive," he said.
Without the ability to keep track of virtual machines, companies often cannot patch flaws or update systems when necessary, he said.
"When you have a virtual environment users tend to start piling on the virtual servers, " Lorenc said. The combined value of the assets on the host system can get "very high, very quickly," he said.
Even if IT personnel do keep track of all virtual machines running on a server, they can still face problems installing patches or taking systems offline to perform routine security upgrades, Gerchow added.
He noted that the risks associated with patching holes and upgrading applications grows each time a new virtual machine is added to a server.
Lorenc suggested that companies install tools that can quickly detect and discover virtual machines as they are installed on a corporate server. He also advised that companies create strong policies to control the spread of virtual machines.