According to Forrester Research, 42% of all enterprise server resources will be virtualized by 2009. [1] Referred to by many names - server virtualization, OS virtualization, kernel virtualization - virtual machine (VM) platforms, such as VMware ESX and Microsoft Hyper-V, are typically the first forms of virtualization introduced to the data center. These technologies are becoming both less expensive and more accessible, making them attractive candidates to be the first virtual "guinea pigs" in the data center. Factors such as consolidation, cost savings, dynamic provisioning, and fluid migration are driving most IT shops to experiment with some form of a virtual platform, driving the adoption of virtual systems in the data center. The advent of large-scale infrastructure systems has moved virtual platforms into the full, public-facing application infrastructure in the data center.

Virtual platform providers have been addressing internal security concerns with their own platforms for some time, as have external groups such as the Center for Internet Security with their VM security benchmarking projects. The goal of these projects is to address the security of the platforms - that is, the base-level running environments for virtual machines. Security criteria included such tasks as blocking external access for remote logins or making sure only authorized administrators could reconfigure the software switch. From an IT perspective, this is similar to locking down Microsoft Windows 2003 web servers; all of the security is applied at the platform level, whether it is a virtual platform like ESX or a physical one like Windows 2003 Server running on bare metal.

Virtual platforms add an additional layer of security requirements, however. The same security threats that exist against Windows 2003 or a particular distribution of Linux will also exist once that OS has been migrated to a VM. The migration to virtual machines in the data center requires a re-architecting of the security plan and structure, leading to potential issues involving Incidence Response, virtual debugging of virtual operating systems and virtual software switches, and DMZ reorientation and design - all of which need to be factors in the security plan for the migration to VMs.

To address the security concerns brought on by introducing virtualization to the data center, a rather large technology sector has emerged: virtualization security, or virtsec. One of the challenges facing IT is "What is VirtSec and how can I implement it?"

Virtualization security can be broken down into three categories:

1. Security risks added to the data center when new virtualization technologies are introduced, such as the security risks of running multiple VMs on a single hypervisor
2. Security of virtual machine images and guest operating systems
3. Virtual instances of physical security devices, such as going from a physical firewall and IPS to a virtual image running the same services

The virtsec market is quickly addressing security issues associated with guest VMs such as patch management and inspecting network traffic between VMs on the same host and software switch, and implementing security technologies directly in VM guests. In fact, one of the largest drivers behind virtualization security implementation is the availability of antivirus and firewall VMs that run on the virtual platform infrastructure. The risk associated with the virtual platforms themselves, however, is still fairly unknown, as there aren't a tremendous number of solutions available for internal hypervisors and platform security today. While tactically the least exploitable part of the virtual data center, hypervisors are strategically the most lucrative attack vector in the VDC as they provide a single point of attack to gain access to multiple, if not all, virtual systems in the data center.