Preparing for virtualization security unknowns

For more information Visit our virtualization security topics page to learn more about virtualization products and technology. Application security expert Michael Cobb, discusses the risks involved with using virtualization software. Find out what happens when a virtual machine is hacked.

Per usual, security is an afterthought, which is a huge problem. Virtualization changes the definition of servers and data centers. As opposed to physically distinct servers connected over a network (that can presumably be secured or monitored), a virtual environment is an isolated, self-contained "data center in a box," and when all the process-to-process communications that have happened over a network in the past are instead happening inside a single IT enclosure, there's no doubt that security ramifications will be significant.

The fact is that no one knows how much virtualization is going to upend the 15 years of work the industry has invested to build defenses for systems and applications. In order to grasp the situation, it's important to understand that security functions are different in a virtualized world.

To again be clear, it's impossible to say exactly what the most significant virtualization security challenges will be, but here are some key points to consider.

• Network defenses are moot -- Most network defenses are predicated on seeing traffic, comparing either packets or behaviors to what it knows to be malicious, and then taking action. If the traffic can't be seen, a network-based approach to work within the virtualized server must be implemented. In other words, monitoring inter-process communications within the virtual machines or between a virtual infrastructure that spans multiple physical machines.

  The definition of the "network" in a virtualized world is significantly different, and requires different defenses. Blue Lane Technologies Inc. and Reflex Security Inc. are two of the vendors already working to solve the problem, whatever the problem turns out to be.

• Hypervisors are great (to attack) -- Everyone talks about how insecure the OS is. Yes, all of the OSes are insecure, but to add a bit more complexity (what's a bit more complexity between friends), it means layering a whole mess of potentially insecure OSes on top of what is potentially another unsure OS -- the hypervisor.

  For those of you not familiar with virtualization terminology, the hypervisor is the software abstraction layer between the bare metal and the operating system instances that run on top of it. This is software, and as is the case with most software we all know it is pretty much vulnerable. The question is how vulnerable? The stakes are high; if the underlying hypervisor is compromised, it's possible to own all of the virtual machines that run on top of it.

  If the hypervisor turns out to be vulnerable, a good analogy would be building a skyscraper on a foundation of quicksand. You don't need to be a structural engineer to figure out how that works out.

• Configuration management on steroids -- When five, 10 or 100 virtual devices are on each physical server, a lot of strain is placed on the existing configuration management infrastructure. Patching 5,000 virtual images running different OSes is near impossible. Today's configuration management offerings must evolve to factor in the scalability (and efficiency) needed to operate in a virtualized world.

• Business continuity is challenging -- Many organizations run stand-by servers and replication technology, just in case. For mission-critical applications it's the right thing to do since downtime is quantifiably expensive. But if these critical applications are running in a virtual space, your business continuity plans need to evolve to factor that in.

  In the category of "what's old is now new again," this is a solved problem. Solved by the mainframe operating systems of days gone by. Just because we've seen the problem before and can pick out an analogy, it doesn't mean the problem is close to being solved in this new reality.

• Software business models must change -- Lots of software, especially management software, is priced per managed device, but in a virtual world, what is a managed device? Does every created virtual image need to be paid for? Is a credit issued when the image is removed? I don't have those answers, but I can tell you the pricing status quo is not sufficient.

We'll see new software pricing models emerge as a result of virtualization.

There may very well be early answers to some of these issues. I know there are a lot of smart folks figuring them out and bringing new products to market to solve problems.

But until the key issues are outlined, it's important to work with the data center folks in your organization to figure out what the virtualization security plan should be for your environment. The road to virtualization will be fun -- the "I am feeling a bit woozy and about to puke because I just got off of a roller coaster" type of fun.

About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Virtualization Security Virtual machine security plagued with operational issues How to build security into a virtualized server environment Virtualization tool assesses VMware security configurations Five Server Virtualization Security Do's and Don'ts Virtualization security gains traction while IT budgets shrink Virtualization vendors not in the security business, says Citrix CTO IBM makes push into virtualization security with Phantom Virtual uncertainties RSA Conference begins as companies tighten security budgets Is desktop virtualization a realistic enterprise option? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.