SC Magazine takes a look at some of the threats facing the cost saving technology known as server virtualization.

The benefits of the technology are game-changing: virtualisation better utilises system resources and increases performance, while reducing the time and money associated with space, power, cooling and management constraints. It is the future of computing, experts agree. According to a 2006 Yankee Group survey of 750 businesses, 62 percent of respondents already have or plan to deploy a virtualisation solution. And further sweetening the pot in this market, vendor giants, such as Intel and Microsoft, now have gotten in on the game.

But even though there have been few, if any, in-the-wild attacks against virtualised machines, virtualisation introduces an entirely new threat vector that, if not safeguarded properly, could attract even more security issues than the traditional desktop computing model.

The main concern about virtualisation, say experts, is the danger an unprotected host operating system presents. If attackers can compromise the hypervisor — a thin layer of software that runs in the host and serves as the virtualisation engine — they may earn free reign over every single guest, or virtual, machine (VM) operating on that host system.

“It's kind of like a single point-of-failure for multiple machines,” Hart says, referring to the hypervisor.

Neil MacDonald, a Gartner vice president, says that if IT departments do not properly plan for virtualisation by implementing security best practices, any business gain may be negated.

“Virtualisation, by definition, is a layer of abstraction,” he says. “It is a software layer that gives you this abstraction. It's a new layer. People overlook how important that layer is and that it must be secured and properly configured like any other layer in the stack.”

As organisations begin implementing virtualised solutions en masse, hackers will take notice and flaws will be discovered. Vulnerabilities in products from VMware — the Palo Alto, Calif. virtualisation software leader — have jumped from just one in 2002 to 34 already this year, according to data recently compiled by Kris Lamb, director of the X-Force research team at IBM Internet Security Systems. A representative from VMware could not be reached for this story.

Read the entire article from Secure Computing, here.