Virtualization is a term that has been coined to refer to the abstraction of computer resources. This includes abstraction of both hardware and software at multiple levels, from individual servers and clients to complete networks. In this latter instance, the term “virtual infrastructure” has been used to refer to abstracted resources of a computer network, inclusive of all the hardware and software.
To understand some of the benefits that have been realized through the use of virtualization consider that in traditional, non-virtualized environments, data centers typically follow the “one server-one application” rule. This results in a large number of servers, each requiring its own storage resources, power supply, and physical cabinetry or other space. Because resources cannot be added to these systems easily or quickly, they are often over-provisioned to handle “worst case” or peak load scenarios. As a result, much of the actual capacity of the data center is under-utilized most of the time.
In contrast, server virtualization abstracts the resources of physical computer machines to create larger pools of processor and memory resources that can be allocated dynamically to applications or processes, as they are needed. Virtualization partitions an individual physical server into several “virtual machines” each of which can run its own “guest” operating system and application environment. This lets organizations consolidate workloads and run multiple applications on the resources of shared servers, so existing hardware can be better and more fully utilized. Similarly, visualization techniques can be applied to other resources, such as networks and storage. Virtualization also allows the packaging of complete operating system and applications as a portable virtual environment (also referred to as encapsulation), that can be moved from one virtual machine location to another, for example, if a server fails or resources becomes unavailable.
With the benefits of virtualization, however, come several serious security risks. Because virtual infrastructures can now be managed remotely through software, controls that existed in the pre-virtualization world are now relaxed or bypassed altogether. Users with access to software management facilities now can create copies of disks with sensitive data, cause denial of service to an important application by starving it of resources or accidentally connecting a critical virtual machine to an insecure network. More malicious attacks may take the form of “hyperjacking” in which hypervisors (software layers that abstract physical hardware resources from the virtual machines running thereon) are compromised, leading to the attacker gaining unfettered access to all of the virtual machines running on a server. These and other risks demand that virtualized resources be placed under the control of stringent security facilities.