While a virtual infrastructure can dramatically reduce costs and improve the efficiency of your IT operations, it is vital you understand the security implications of virtualisation and how you choose to deploy the technology.
Hosted & Bare-Metal Virtualisation: A Comparison
The two common approaches to virtualisation are hosted – where the virtualisation is sited on top of an operating system - and bare-metal – where the virtualisation is plumbed in directly with the device hardware. Either method will have security implications such as those given below:
- Operating System vulnerability: as a hosted virtualisation method bases on top of an operating system there are risks of vulnerabilities and attacks
- File Sharing: A hosted environment can allow for information between the user and the host to be shared. While this has the benefit of convenience of use, it also has the risk of data leakage and malicious code entering the platform
- Resource allocation: Hosted virtualisation runs as an application within the operating system and so is dependent on resources being allocated along with other services and programs
- Usage Type: A hosted virtualisation approach is best adopted for functions which have little or no public interaction; development and testing and demonstration setups are typical examples.
In comparison, a bare-metal approach minimises the risks shown above as the vulnerability of needing an operating system is removed. Virtualisation is effectively isolated so the attack vector is far narrower, making it much more difficult for malicious code to gain a foothold in a virtualised environment, which also makes a bare metal approach more suitable to use in a general workplace.
Deliver Greater Security With Thin Virtualisation
A recent development in improving security is to adopt thin virtualisation, which dramatically strengthens security and manageability. Thin Virtualisation does without the Operating System console, thereby minimising a series of potential vulnerabilities, including:
- Reduced maintenance requirement
- A lack of attendant software reduces the attack surface
- Unauthorised software cannot install
- Use of APIs allows for agentless monitoring – no need to install external software