Burton Group Develops Five Immutable Laws of Virtualization Security

Market Wire, January, 2008

Burton Group, an IT research firm focused on enterprise infrastructure technologies, published a report providing five immutable laws of virtualization security to help IT organizations ensure improved protection of virtual environments.

Virtualized environments are poised to provide significant operational benefits to enterprises, but they are not without their risks. The introduction of a new layer of software -- in the form of the hypervisor -- and the new architectures that provide the benefits must be evaluated from a security perspective to understand the risk and security impact.

In the report, "Attacking and Defending Virtual Environments," senior analyst Pete Lindstrom reports the threat level for virtualization technologies is accelerating quickly as adoption of virtualization grows. Additionally, malicious attackers are realizing that virtual environments are cheaper targets.

With a clear understanding of an organizations specific use cases of virtualization, combined with standard risk principles, Burton Group developed a set of five immutable laws to help IT organizations drive security decisions in virtual environments:

Law 1: All existing OS-level attacks work in the exact same way.

Law 2: The hypervisor attack surface is additive to a system's risk profile.

Law 3: Separating functionality and/or content into virtual machines (VM) will reduce risk.

Law 4: Aggregating functions and resources onto a physical platform will increase risk.

Law 5: A system containing a "trusted" VM on an "untrusted" host has a higher risk level than a system containing a "trusted" host with an "untrusted" VM.

"Burton Group recommends the best way to determine how virtualization impacts security is to determine where and when to apply controls that are sufficient in the environment based on risk tolerance," says Lindstrom. "Ultimately, whether virtualization is a bane or boon for security depends on how the systems are configured, deployed and managed."

More details about the five immutable laws of virtualization on Burton Group's Security and Risk Management Strategies blog at http://srmsblog.burtongroup.com// .

About Burton Group

Since 1990, Burton Group ( www.burtongroup.com ) has provided research and advisory services helping Global 2000 organizations make smart enterprise architecture decisions. Burton Group provides a suite of context-oriented analysis and a proprietary IT Reference Architecture covering security, identity management, application platforms, service-oriented architecture, network and telecom, collaboration, content management, and the data center. Uniquely focused on the need of IT buyers rather than technology providers, 85% of Burton Group's revenue comes from end-user organizations.

Add to Digg Bookmark with del.icio.us Add to Newsvine

Contact: Amie Johnson Email Contact 801-304-8136