Home > General Rants & Raves, Virtualization > More On the Risks of Virtualization

More On the Risks of Virtualization

Virtualizationcompliant
I’ve been doing a bit of writing and speaking on panels recently on the topic of virtualization and the impact that it has across the entire spectrum of risk; I think it’s fairly clear to most that virtualization impacts all aspects of the computing landscape, from the client to the data center and ultimately how securing virtualization by virtualizing security is important.

Gartner just released an interesting article that says "Organizations That Rush to Adopt Virtualization Can Weaken Security."   Despite the sensationalism that some people react to in the title, I think that the security issues they bring up are quite valid. 

I’m glad to see that this study almost directly reflects the talking points that we’ve been puttering on about without any glaring omissions as it validates the problem space; it doesn’t take a rocket scientist to state the obvious, but I hope we get solutions to these problems quickly. 

Granted these are fairly well-known issues but most folks have not looked deeply into how this affects their overall risk models:

Organizations must consider these security issues in virtualized
environments:

  • Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.
  • The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth.
  • Patching, signature updates, and protection from tampering for offline VM and VM "appliance" images.
  • Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.
  • Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
  • Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).
  • Mobile VMs will require security policy and settings to migrate with them.
  • Immature and incomplete security and management tools.

I’m going to be presenting something very similar at the ISSA Metro event in Charlotte on April 10th.  I’ll upload my presentation ahead of time for anyone who might find it useful or interesting.

/Hoff

  1. April 5th, 2007 at 13:21 | #1

    Chris:
    I think the bottom line for security pros is that most static security technologies were developed with underlying assumptions about the environments they were protecting; namely, that they would be relatively fixed/stable.
    While virtualization introduces new levels of change and mobility and stack varety… the hypervisor layer may be the biggest opportunity for security that the market has seen in a long time. Virtualization done right can be more secure than corresponding physical environments. By advising clients of the changes taking place as a result of virtualization (and the risks) Gartner and Nemertes are setting the stage for enhanced security.
    If one thinks their host or network IPS with sigs, tuning, footprints and/or downtime, etc can keep up IMHO one is kidding oneself.
    Virtualization demands app and protocol awareness at the hypervisor layer for starters. The days of physical IP addresses and signatures are coming to an end.

  2. April 9th, 2007 at 12:54 | #2

    Chris – We're on to you.
    We all know that when you use the word "more" immediately followed by "on" in a sentence you are trying to secretly call us all morons. Not gonna work anymore, buddy.

  3. April 9th, 2007 at 17:00 | #3

    Buahahahaha!
    Nice.

  1. No trackbacks yet.