Limit virtualization to management specified risk aggregation tolerances.
This approach places limits on virtualization based on management
risk thresholds. As risks increase because of aggregation, additional
compensating controls are required and the costs go up. For example,
while low risk systems have almost no protective requirements, medium
risk systems may have many more such requirements. When low risk
systems are aggregated into a combined virtualized environment, the
resulting risk may reach the medium level, forcing increased
protection for systems that used to require very little. The costs of
virtualization are forced to include increased security costs and as
more and more gets aggregated, the return on investment gets smaller
and smaller. Eventually, the right tradeoffs are made and
virtualization is limited with compensating controls in place as
appropriate.
Limit virtualization of security functions but not business functions.
This approach attempts to separate security out from other
business functions and is sometimes offered as a compromise
solution. While security functions certainly have to meet separation
of duties requirements and be limited in risk aggregation, so do other
business functions, and therefore this sort of compromise should be
rejected except in cases of small enterprises where separation is very
limited anyway.
Don't virtualize at all.
Not virtualizing at all may be cutting off your nose to spite
your face. Using a virtualization approach is cost effective even for
the smallest enterprises and completely separating every business
function into its own computer is almost always unnecessarily
wasteful.
Virtualize as far as you can and use redundant virtual environments to compensate for virtualization security implications.
Adding redundant virtual environments to compensate for
virtualization security implications, only compensates for
availability limitations of virtual environments and ignores
integrity, use control, accountability, and confidentiality issues
that stem from the imperfection of virtual environments in
separation. In addition, only limited availability protection is
afforded because an attack on one copy of the environment is also
likely to work on another unless additional separation is in place.
Virtualization is all about reducing costs. Combining more computing functions into fewer devices reduces management and operational costs including but not limited to floor space, power consumption, maintenance and support costs, administration time, and supporting infrastructure. But from a security standpoint, it also aggregates risks. Every time you combine two functions into one system, the vulnerabilities of each potentially impact the other, a failure of the hardware lowers all ships, and the commonality of operating environments makes vulnerabilities apply to more and more systems. The more things you combine, the more weight you put on the virtualization system. Unless there are compensating controls, risks increase to exceed tolerance levels and failures result in intolerable losses. So virtualization is ultimately a tradeoff that trades cost for risk.
Virtualization should be understood as as a tradeoff between operational costs and security costs, and not just treated as a reduction in operating costs resulting from technology advances. Technology advances do indeed reduce costs, but when used in the virtualization mode of aggregating systems and their content into fewer systems, reduced integrity, availability, confidentiality, use control, and accountability results unless compensating controls are put in place. Since those compensating controls also have costs, those costs must be part of the balance considered in limiting virtualization and must be recognized as such by those who are making decisions surrounding virtualization.