2. Virtual machines multiply patching burdens
The threat of virtual-server sprawl -- a scenario in which the ease of deploying virtual machines results in more instances than planned -- makes staying on top of patches and updates for operating systems critical in a virtual environment.
"Patching becomes more challenging, because these [virtual machines] move around, and they multiply," Burton Group's Lindstrom said. "The ability to validate the patch status on individual machines becomes more important in the virtual world."
IT managers agree patching is critical in virtual environments, but the real difference between virtual- and physical-server patching isn't a security issue, it's about volume.
"We need to keep in mind that our servers that are virtualized require the same patch management and maintenance as physical servers," Catapult's Ross says. Transplace has three virtual environments -- two inside the network and one in the DMZ -- which include about 150 virtual machines. "The hypervisor adds another layer to focus on in patching, but patching itself is equally critical on physical and virtual machines," Ross says.
For Bowdoin's Antonowicz, staying in front of virtual-server sprawl is a priority now, because the time it takes to patch machines increases when servers multiply beyond his direct control. In the past he routinely patched 40 servers, but now he is responsible for securing more than 80. He hopes one day to find tools to better automate the process.
"Virtual environments can grow too fast without physical constraints," Antonowicz says. "Before we roll out more [virtual machines], I want to look into more automation around patching."
3. Running virtual machines in the DMZ
As a rule, many IT managers avoid putting virtual servers in the DMZ, and other IT managers won't run mission-critical applications on virtual machines in the DMZ or even on those machines protected by corporate firewalls. According to Burton Group's Lindstrom, however, it can be done when using proper security measures. "You can run virtualization inside the DMZ as long as the firewall or separating device is physical. And in most cases, as long as you are separating out resources, you are good to go," he said.
Bowdoin's Antonowicz says DMZ or not, he sets up his virtual environments with the mind-set that exploits exist, and he works to limit the access among clusters of virtual resources. "Each cluster has its own set of resources and accesses so you can't get from one to the other and there is no way to jump within each cluster," he explains.
Many IT managers work to segment their virtual servers and keep them within corporate firewalls, but some place virtual machines in the DMZ -- but only with noncritical services running on them. According to Scott Engle, director of IT infrastructure at Transplace, everything of value is behind the firewall, and those applications running on virtual machines in the DMZ include such services as DNS.
"We run [virtual machines] in a trusted segment on a trusted host. In our DMZ, we will run physical boxes with a few VMware instances, but we do not bridge the gap between trusted and untrusted networks," Engle says.