К сожалению, этот PDF-файл доступен только для загрузки

Overcoming Security Challenges to Virtualize Internet-facing Applications

Server virtualization brings real business value such as server consolidation, higher compute capacity utilization, data center space/power/cooling efficiencies, and operational agility. Intel IT has been actively driving the adoption of server virtualization within Intel’s data centers (DCs) with a target of virtualizing 75% of the office and enterprise DCs. However, virtualization brings with it an aggregation of risks to the enterprise when consolidating application components and services of varying risk profiles onto a single physical server platform. The aggregation of risk is created due to the added potential of compromise of the hypervisor layer, which in turn leads to a potential compromise of all the shared physical resources of the server that it controls such as memory and data as well as other virtual machines on that server. Concerns about security initially prevented virtualization of several categories of applications, including Internet-facing applications used to communicate with customers and consumers. The purpose of this paper is to describe how Intel IT neutralized these risks that have allowed us to enable virtualization for the DMZ and SIZ thereby allowing Intel IT to expand the benefits of virtualization. Our solution includes a secure virtualization host architecture that uses private virtual LANs (PVLANs) to isolate virtual machines, helping to ensure that compromise of one application cannot directly spread to others. This architecture also maintains existing secure administration policy by separating network and server administrative duties. In addition, we segregate virtualization host servers into landing zones analogous to those in the physical environment, and we harden and isolate virtualization management systems. Over time, we plan to further enhance our secure virtualization capabilities by taking advantage of hardware-assisted security with Intel® TXT and Intel® Advanced Encryption Standard New Instructions (AES-NI). We have already deployed our secure virtualization infrastructure at multiple data centers and are successfully migrating applications to it. Using this approach, we plan to virtualize all suitable Internet-facing applications by 2012. This is a significant step toward our goal of virtualizing 75 percent of the office and enterprise environment.

Server virtualization brings real business value such as server consolidation, higher compute capacity utilization, data center space/power/cooling efficiencies, and operational agility. Intel IT has been actively driving the adoption of server virtualization within Intel’s data centers (DCs) with a target of virtualizing 75% of the office and enterprise DCs. However, virtualization brings with it an aggregation of risks to the enterprise when consolidating application components and services of varying risk profiles onto a single physical server platform. The aggregation of risk is created due to the added potential of compromise of the hypervisor layer, which in turn leads to a potential compromise of all the shared physical resources of the server that it controls such as memory and data as well as other virtual machines on that server. Concerns about security initially prevented virtualization of several categories of applications, including Internet-facing applications used to communicate with customers and consumers. The purpose of this paper is to describe how Intel IT neutralized these risks that have allowed us to enable virtualization for the DMZ and SIZ thereby allowing Intel IT to expand the benefits of virtualization. Our solution includes a secure virtualization host architecture that uses private virtual LANs (PVLANs) to isolate virtual machines, helping to ensure that compromise of one application cannot directly spread to others. This architecture also maintains existing secure administration policy by separating network and server administrative duties. In addition, we segregate virtualization host servers into landing zones analogous to those in the physical environment, and we harden and isolate virtualization management systems. Over time, we plan to further enhance our secure virtualization capabilities by taking advantage of hardware-assisted security with Intel® TXT and Intel® Advanced Encryption Standard New Instructions (AES-NI). We have already deployed our secure virtualization infrastructure at multiple data centers and are successfully migrating applications to it. Using this approach, we plan to virtualize all suitable Internet-facing applications by 2012. This is a significant step toward our goal of virtualizing 75 percent of the office and enterprise environment.

Related Videos