Along with the flexibility and agility gained through virtualization comes a loss of visibility into network traffic.
The race is on. As organizations successfully slash the costs associated with buying, powering, and maintaining physical servers by embracing virtualization, are they leaving their systems vulnerable? Maybe so. Companies' efforts to virtualize are moving beyond the simple consolidation of servers and applications to fewer physical boxes, but there's an additional risk that can parallel the reward. And the risks lie not only where many might suspect--with the hypervisor or virtualization software itself--but also with the impact virtualization can have on traditional network and security controls.
Virtualization software, primarily the hypervisor, is no different than any other software application: It's bound to have defects and security bugs. What sets hypervisors apart is the risk of so-called "hyperjacking," a successful attack that leads to a compromised hypervisor, giving an attacker unfettered access to all virtual machines on the physical server. This could be quite the compromise, given that anywhere from a handful to dozens of VMs could be running on a single host.
While the consequences of a compromised host can be dire, it's generally thought that the vulnerabilities of the hypervisor are the least of a security professional's worries. "Virtualization security has nothing to do with the security of the hypervisor," says Andreas Antonopoulos, an analyst at Nemertes Research. "It has to do with the fact that we're fundamentally changing the IT architecture, operational patterns, deployment life cycles, and management methods of our servers. These issues will create more security issues for organizations than the hypervisor itself."
Along with the flexibility and agility gained through virtualization comes a security blind spot--the loss of visibility into network traffic. "You lose granularity on the network traffic between your virtual servers because that traffic never leaves the physical box, and your traditional security tools won't be able to analyze the traffic," says Lloyd Hession, an independent IT security consultant and former chief information security officer at financial network services firm BTRadianz.
Five Laws Of Virtualization Security
All existing OS-level attacks work in the exact same way
The hypervisor attack surface is additive to a system's risk profile
Separating functionality and/or content into virtual machines will reduce risk
Aggregating functions and resources onto a physical platform will increase risk
A system containing a trusted virtual machine on an untrusted host has a higher risk level than a system containing a trusted host with an untrusted VM
Data: Burton Group
This lack of visibility into virtual network traffic is only likely to grow more troublesome as organizations move beyond simply stuffing less-than-mission-critical systems onto fewer physical hosts. More companies are beginning to manage more virtualized servers in the data center, and these servers are running mission-critical applications. Research firm IDC predicts that companies will invest nearly $11.7 billion in virtualization services by 2011, up from $5.5 billion in 2006.
Consider the experience of health care industry software services provider Quantros, which provides hospitals and health care providers with on-demand software that helps manage patient safety tracking, accreditation, and compliance. Last year, the company began investigating ways it could revamp its then-aging network. "Our network was expanding, and it was becoming cost-prohibitive to keep adding new physical servers," says Bryan Rood, director of Internet data center services at Quantros.
To help save costs while expanding its network, Quantros turned to VMware's ESX server virtualization platform to virtualize a number of its Web and development servers. "This was an ideal area of our infrastructure to start, and there was a strong business case for virtualizing these systems," Rood says.
BUILD ON SUCCESS
Following the initial success, more virtualization efforts got under way, including virtualizing systems used for quality assurance. It soon became clear that Quantros' servers, which today consist of 55 physical and 40 virtualized servers, faced security challenges. First, traditional network-based intrusion-prevention systems wouldn't be able to protect multiple virtual servers on a single host from attacks on each other. And maintenance and patching cycles grew challenging, as they always do. Also, considering the ease at which virtual servers can be dispatched, Rood needed a way to make sure each virtual system adhered to the company's strict security and patch-level policies.
Quantros turned to Blue Lane Technologies and its ServerShield, which not only successfully identified and protected Quantros' physical severs, but all of the virtualized instances on those servers as well, Rood says. Blue Lane, which has its roots as a virtual patch proxy, is enhancing its technology to better protect virtual environments. Last year, the vendor made available its VirtualShield, which is specifically designed for VM-to-VM traffic-flow analytics and enforcement.
Don't rush into virtualization without fully considering its impact on your information protection practices.
These are the types of security challenges that companies turning to virtualization need to be prepared for. "Most companies, when they started down this path, did so for their lab and testing systems. They found they could save some money and get additional business agility," says Kurt Roemer, chief security strategist at Citrix Systems. "But they didn't ask how virtualization would change their existing network infrastructures. The traditional controls are now abstracted."
That has security pros and audit teams a bit prickly. "They want to see how these virtualized environments will function and deliver the same security posture, availability, latency, and deliver on the SLAs that they enforced prior to moving to virtualization," says Chris Hoff, chief architect of security innovation at Unisys.
Google in the Enterprise SurveyThere's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity products, and 69 percent cite Google Apps' good or excellent mobility. But progress could still stall: 59 percent of nonusers distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
CIOs Get Smart About BIIT’s tried for years to simplify business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.