Per usual, security is an afterthought, which is a huge problem. Virtualization changes the definition of servers and data centers. As opposed to physically distinct servers connected over a network (that can presumably be secured or monitored), a virtual environment is an isolated, self-contained "data center in a box," and when all the process-to-process communications that have happened over a network in the past are instead happening inside a single IT enclosure, there's no doubt that security ramifications will be significant.
The fact is that no one knows how much virtualization is going to upend the 15 years of work the industry has invested to build defenses for systems and applications. In order to grasp the situation, it's important to understand that security functions are different in a virtualized world.
To again be clear, it's impossible to say exactly what the most significant virtualization security challenges will be, but here are some key points to consider.
- Network defenses are moot -- Most network defenses are predicated on seeing traffic, comparing either packets or behaviors to what it knows to be malicious, and then taking action. If the traffic can't be seen, a network-based approach to work within the virtualized server must be implemented. In other words, monitoring inter-process communications within the virtual machines or between a virtual infrastructure that spans multiple physical machines.
The definition of the "network" in a virtualized world is significantly different, and requires different defenses. Blue Lane Technologies Inc. and Reflex Security Inc. are two of the vendors already working to solve the problem, whatever the problem turns out to be.
- Hypervisors are great (to attack) -- Everyone talks about how insecure the OS is. Yes, all of the OSes are insecure, but to add a bit more complexity (what's a bit more complexity between friends), it means layering a whole mess of potentially insecure OSes on top of what is potentially another unsure OS -- the hypervisor.
For those of you not familiar with virtualization terminology, the hypervisor is the software abstraction layer between the bare metal and the operating system instances that run on top of it. This is software, and as is the case with most software we all know it is pretty much vulnerable. The question is how vulnerable? The stakes are high; if the underlying hypervisor is compromised, it's possible to own all of the virtual machines that run on top of it.
If the hypervisor turns out to be vulnerable, a good analogy would be building a skyscraper on a foundation of quicksand. You don't need to be a structural engineer to figure out how that works out.
- Configuration management on steroids -- When five, 10 or 100 virtual devices are on each physical server, a lot of strain is placed on the existing configuration management infrastructure. Patching 5,000 virtual images running different OSes is near impossible. Today's configuration management offerings must evolve to factor in the scalability (and efficiency) needed to operate in a virtualized world.
- Business continuity is challenging -- Many organizations run stand-by servers and replication technology, just in case. For mission-critical applications it's the right thing to do since downtime is quantifiably expensive. But if these critical applications are running in a virtual space, your business continuity plans need to evolve to factor that in.
In the category of "what's old is now new again," this is a solved problem. Solved by the mainframe operating systems of days gone by. Just because we've seen the problem before and can pick out an analogy, it doesn't mean the problem is close to being solved in this new reality.
- Software business models must change -- Lots of software, especially management software, is priced per managed device, but in a virtual world, what is a managed device? Does every created virtual image need to be paid for? Is a credit issued when the image is removed? I don't have those answers, but I can tell you the pricing status quo is not sufficient.
We'll see new software pricing models emerge as a result of virtualization.
There may very well be early answers to some of these issues. I know there are a lot of smart folks figuring them out and bringing new products to market to solve problems.
But until the key issues are outlined, it's important to work with the data center folks in your organization to figure out what the virtualization security plan should be for your environment. The road to virtualization will be fun -- the "I am feeling a bit woozy and about to puke because I just got off of a roller coaster" type of fun.
About the author This was first published in May 2007
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
This was first published in May 2007