The topic of hypervisor security has garnered a lot of interest as organizations struggle to deal with virtual server sprawl. It's become very easy to push a few buttons and deploy dozens of new virtual servers, each one of which can be an point of entry into the organization. Worse, hypervisors themselves can be attacked if not properly secured.
What steps, if any, are you taking in your organization to address the issue of security in your virtual environment?
I think the first step in securing Virtualized environments is to put in place a good VM management policy to avoid VM sprawl. A good policy/procedure is one that is revised on regular basis between IT people and Data/service owners.
I recall one important element of the VM policy document that stated that users (data owners) requesting new VMs had to specify the expected lifetime of the VM. When this expires the IT staff was instructed to verify with the user and get confirmation from his/her immediate superior to justify another time slot, otherwise the VM is backed up and terminated.
Every environment has its own restrictions but a good practice is to set up a policy based on the resources available and business priorities.
Good points all. Taming virtual machine sprawl is even more important now that VMware has instituted new licensing policies that actively punish customers for overallocating RAM whether it's due to creating an unnecessary VM or creating a VM with too much RAM.
new licensing policies that actively punish customers for overallocating RAM
I don't know on what basis VMware decided to go for this new licensing model but it seems that they want to make more money out of VM sprawl and the usersí negligence or inability to control it! Without knowing much details of the new licensing model, I would comment against it as I think itís inappropriate to have a vendor determining a baseline for memory usage and then charge users against that baseline. I might agree with this model if VMware reduces considerably the initial licensing costs!
Exactly! All VMware really did with this was eliminate core count as a licensing limitation and replace it with a more volatile RAM count. There is no value add for the customer... just more out of pocket.