Let’s face it. Virtualization is everywhere in businesses today. There probably isn’t an IT admin out there that doesn’t swear by it. The sheer number of benefits it adds to the IT departments with its reduced resources, better energy savings, easier administration, etc. It’s also nothing new really. It’s been around for quite some time now, but it has usually been limited to the IT departments, developers, system testers, or the other elite geeks. It hasn’t really been a product for mass consumption – until now very soon.

Anyone who hasn’t been hiding under a rock for the past few weeks has probably heard about Microsoft’s new OS, Windows 7, and how it’s incorporated a built-in Windows XP virtualization. It will utilize Microsoft’s Virtual PC technology and host a built-in copy of Windows XP for legacy use. The technology seems pretty sweet on paper so far. There are still a few days before we get to try it out as a whole.

Even though virtualization has been in use for some time now, it’s usually always been in the hands of trained professionals (or at least those with a higher geek score than the average user). So, is the everyday user ready to take on the responsibility of having the equivalent of two machines running all the time?

One area of concern is that the virtual XP (VXP) still needs to be handled as if it were its own machine, just like any other server platform running in a virtual environment. The VXP still needs to run its own local copy of anti-virus, firewall, and maintain its own regular patch frequency. This also helps explain Microsoft’s extension of the XP support line.

So, not only are IT admins now responsible for maintaining a regular update and policy environment for all the standard user machines, but they also need to take into consideration what could be running in “XP Mode.” I’m sure in larger companies software is controlled, and policies restrict the usage of this. But there are plenty of medium/smaller companies that don’t have as tight of reigns on the systems.

Windows 7 seems to be a great step forward, even in security related aspects, but does this open up the attack vector even more, or could it circumvent all of Windows 7′s security and use the VXP as the attacking source now? There are plenty of questions to be asked still, but it doesn’t look like any are stopping the product. It isn’t exactly a standard default either; the XP Mode is an opt-in option. So, at least if there is no need for legacy support, then you don’t have to take it.

I’ll be getting a copy of the next beta release as soon as it’s available and let you know some more of the details as the product is explored more thoroughly. So, what are your ideas/concerns about the new “feature?” Let us know in the comments.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

I can easily sum up what nearly every talk, every keynote, and every booth vendor is discussing here at RSA.  I just need four words: “Cloud computing and virtualization”. Virtualization is important because of the desire to make things cheaper and easier to maintain, and presents a powerful argument for power savings especially the week of earth day. The security concerns in virtualization are generally no different than they are with any current system, except for attack vectors between the host and guest operating systems. Virtualizing security services may be helpful in long term cost savings, but introduces additional risks which must be considered and mitigated or accepted.

During the Cryptographer’s Panel, counterarguments about cloud computing were presented. Whit Diffie said he was excited, while Ron Rivest expressed concern. Bruce Schneier said the current move toward cloud computing is like the computing industry coming full circle. Back in the 70s and 80s, we had underpowered terminals accessing shared computing power, storage, and services on a mainframe. Now, replace mainframe with “cloud” and underpowered terminal with “netbook” or “mobile phone” and you’ll see where we are.

Personally, I don’t think we did a great job of information security in the 70s and 80s, so coming full circle is not a good thing.  Cloud computing must be an area of continued vigilance, concern, and research for the coming years.

What are your thoughts? Tell us in the comments!