IBM security expert: X86 virtualization not ready for regulated, mission-critical apps

In a session on virtualization held at Interop Las Vegas this week, IBM security expert Joshua Corman argued that X86 virtualization in not ready for highly regulated, mission-critical applications. The problem is that virtualization opens up new attack surfaces, as well as presents additional operational and availability risks.

In addition, the presence of advanced features--such as live migration of virtual machines--also increases the complexity. Besides the possibility of man-in-the-middle attacks designed to intercept unencrypted data when virtual machines are in transit, another pertinent question to ask is whether a virtual machine moved to a less secure machine.

Indeed, virtualization makes it difficult to meet regulatory requirements such as the PCI DSS. Corman, who is the principal security strategist for IBM's Internet Security Systems division, said, "If you have a choice, I highly recommend you don't adopt virtualization for any regulated project. If you're going to make mistakes, it's better to do so on less critical systems."

Ironically, though, Corman noted how obsession with compliance results in people giving up on risk management. He does offers some advice for organizations working with virtualization. For one, only Type 1, or bare-metal hypervisors should be used for production applications. Also, production applications should be separated from those used for testing or development.

For more on this story:
- check out this article at Network World