IBM security expert: X86 virtualization not ready for regulated, mission-critical apps
Created May 22 2009 - 11:32am

In a session on virtualization held at Interop Las Vegas this week, IBM security expert Joshua Corman argued that X86 virtualization in not ready for highly regulated, mission-critical applications. The problem is that virtualization opens up new attack surfaces, as well as presents additional operational and availability risks.

In addition, the presence of advanced features--such as live migration of virtual machines--also increases the complexity. Besides the possibility of man-in-the-middle attacks designed to intercept unencrypted data when virtual machines are in transit, another pertinent question to ask is whether a virtual machine moved to a less secure machine.

Indeed, virtualization makes it difficult to meet regulatory requirements such as the PCI DSS. Corman, who is the principal security strategist for IBM's Internet Security Systems division, said, "If you have a choice, I highly recommend you don't adopt virtualization for any regulated project. If you're going to make mistakes, it's better to do so on less critical systems."
Ironically, though, Corman noted how obsession with compliance results in people giving up on risk management. He does offers some advice for organizations working with virtualization. For one, only Type 1, or bare-metal hypervisors should be used for production applications. Also, production applications should be separated from those used for testing or development.

For more on this story:

- check out this article [1] at Network World

Reblog this post [with Zemanta]

Posted by John B. Frank Friday, May 22, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers