At one time, the whole notion of “virtual reality” had seized the imagination of the technology community to the point where tech writers like me were lining up to strap on the virtual headsets in order to stumble around like drunken sailors and interact with various programmed realities.
While that fad has had its day, a new kind of virtual reality, which virtualizes the computer itself, is now taking hold in the tech world, and it has become one of our hottest buzzwords.
Virtualization, as the name implies, is the creation of virtual (rather than physical) computing environments, including servers, operating systems and the like. Using virtualization software, the hardware of all or part of an enterprise can be mirrored on another “virtual” computer without any messy real-life transfer of data, applications and other goodies. The original server “thinks” it is linking to other physical servers, although these servers exist only in the ether. In fact, many machines may be virtually recreated to allow access for many workers, wherever they may be.
Virtualization means less work, less hardware, more productivity and less cost, but there’s a price to be paid, especially in a technology community that’s increasingly embracing cloud computing, which enables all this increased functionality to happen on the Internet. That’s because bad things—and bad people—can happen on the Internet.
In a nation and world obsessed with reducing costs and juicing performance, the concept of virtualization seems like a delicious bit of low-hanging fruit, but for some time now I have wondered about the potential security risks involved with this technology, and now an analyst briefing has wondered the same thing.
ComputerWorld, NetworkWorld and a number of other online posts are citing Burton Group Inc. analyst Jack Santos, who has co-written a briefing paper, "The Dark Side of Virtualization,” which spells out some of the challenges posed by this very tempting technology.
Santos and others agree that virtualization has many advantages for organizations, but the security issue remains the 800-pound gorilla in the room. A glitch on a single computer may spell trouble for that machine, but a hacker accessing the virtualization stream at the software level could spell disaster for an unlimited number of enterprise servers. And while the servers may be virtual, the data—sensitive customer information, encrypted documents, passwords—are all too real.
As of this writing, there has been no virtualization hack that I know of, but the possibility has already been demonstrated by security firms. To think that cyber criminals will ignore the prospect of grasping the proverbial keys to the online kingdom is foolish. The potential payoff for the bad guys is way too tempting.
What form will it take? Will entire virtual servers—or entire enterprises—be held for ransom by hackers who have cracked into the stream and assumed control? Or will it be something far more subtle, such as the use of a company’s servers to set up more virtual servers for spamming, denial of service attacks or other criminal activity all without the company becoming aware? These scenarios and more are within the realm of possibility.
Santos suggests that management of virtualization needs to be tightly managed and closely monitored. As more and more insurance enterprises and other enterprises see all or part of their operations virtualized, it is essential that the work on securing this technology be done immediately.
The opinions of bloggers on
