I regularly work with organizations that are wary of mixing public and private workloads in a common virtualization environment. Whether it is mixing public and private workloads, mixing multiple organizations on a common virtual infrastructure or simply mixing workloads from various internal networks, there is still a lot of concern around the security aspects of this discussion. Many people still look at one physical server, and get uneasy about different workloads sharing that server. Logically, many people relate it to sharing an operating system and that is the root of many concerns. This is an easy misconception, since traditional deployments have long been just that, one operating system for each physical server. If not properly explained, virtualization remains a black box to many people and old perceptions remain in place.
This is where we, as consultants and virtualization architects, need to do a better job of explaining new technologies. In this, case, it is not even a new technology, just a real lack of education in the marketplace. In 2001, the National Security Agency (NSA) worked with VMware on a project called NetTop to develop a platform for mixing secure and non-secure workloads on a common device. Previously the NSA maintained an “Air Gap” policy of not letting servers with mixed security needs touch each other. With the NetTop project, the NSA leveraged virtualization to bring these workloads onto a common server or workstation. This was not 2 years ago, but 10 years ago. And the security measures deployed in NetTop have only been improved on since then.
In fact, in 2007, the NSA came back to VMware to develop their High Assurance Platform (HAP). I won’t pretend to know your security needs, but I know virtualization has long been used for mixing highly sensitive data by people who live and die by data security.
NSA and VMware partner for NetTop:
NSA’s “VMware ESX Server 3 Configuration Guide”: