Virtualization Has A Security Blind Spot - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software
News
5/12/2008
04:45 PM
50%
50%

Virtualization Has A Security Blind Spot

Along with the flexibility and agility gained through virtualization comes a loss of visibility into network traffic.

The race is on. As organizations successfully slash the costs associated with buying, powering, and maintaining physical servers by embracing virtualization, are they leaving their systems vulnerable? Maybe so. Companies' efforts to virtualize are moving beyond the simple consolidation of servers and applications to fewer physical boxes, but there's an additional risk that can parallel the reward. And the risks lie not only where many might suspect--with the hypervisor or virtualization software itself--but also with the impact virtualization can have on traditional network and security controls.

InformationWeek Reports

Virtualization software, primarily the hypervisor, is no different than any other software application: It's bound to have defects and security bugs. What sets hypervisors apart is the risk of so-called "hyperjacking," a successful attack that leads to a compromised hypervisor, giving an attacker unfettered access to all virtual machines on the physical server. This could be quite the compromise, given that anywhere from a handful to dozens of VMs could be running on a single host.

While the consequences of a compromised host can be dire, it's generally thought that the vulnerabilities of the hypervisor are the least of a security professional's worries. "Virtualization security has nothing to do with the security of the hypervisor," says Andreas Antonopoulos, an analyst at Nemertes Research. "It has to do with the fact that we're fundamentally changing the IT architecture, operational patterns, deployment life cycles, and management methods of our servers. These issues will create more security issues for organizations than the hypervisor itself."

Along with the flexibility and agility gained through virtualization comes a security blind spot--the loss of visibility into network traffic. "You lose granularity on the network traffic between your virtual servers because that traffic never leaves the physical box, and your traditional security tools won't be able to analyze the traffic," says Lloyd Hession, an independent IT security consultant and former chief information security officer at financial network services firm BTRadianz.

Five Laws Of Virtualization Security
1 All existing OS-level attacks work in the exact same way
2 The hypervisor attack surface is additive to a system's risk profile
3 Separating functionality and/or content into virtual machines will reduce risk
4 Aggregating functions and resources onto a physical platform will increase risk
5 A system containing a trusted virtual machine on an untrusted host has a higher risk level than a system containing a trusted host with an untrusted VM
  Data: Burton Group
This lack of visibility into virtual network traffic is only likely to grow more troublesome as organizations move beyond simply stuffing less-than-mission-critical systems onto fewer physical hosts. More companies are beginning to manage more virtualized servers in the data center, and these servers are running mission-critical applications. Research firm IDC predicts that companies will invest nearly $11.7 billion in virtualization services by 2011, up from $5.5 billion in 2006.

Consider the experience of health care industry software services provider Quantros, which provides hospitals and health care providers with on-demand software that helps manage patient safety tracking, accreditation, and compliance. Last year, the company began investigating ways it could revamp its then-aging network. "Our network was expanding, and it was becoming cost-prohibitive to keep adding new physical servers," says Bryan Rood, director of Internet data center services at Quantros.

To help save costs while expanding its network, Quantros turned to VMware's ESX server virtualization platform to virtualize a number of its Web and development servers. "This was an ideal area of our infrastructure to start, and there was a strong business case for virtualizing these systems," Rood says.

BUILD ON SUCCESS
Following the initial success, more virtualization efforts got under way, including virtualizing systems used for quality assurance. It soon became clear that Quantros' servers, which today consist of 55 physical and 40 virtualized servers, faced security challenges. First, traditional network-based intrusion-prevention systems wouldn't be able to protect multiple virtual servers on a single host from attacks on each other. And maintenance and patching cycles grew challenging, as they always do. Also, considering the ease at which virtual servers can be dispatched, Rood needed a way to make sure each virtual system adhered to the company's strict security and patch-level policies.

Quantros turned to Blue Lane Technologies and its ServerShield, which not only successfully identified and protected Quantros' physical severs, but all of the virtualized instances on those servers as well, Rood says. Blue Lane, which has its roots as a virtual patch proxy, is enhancing its technology to better protect virtual environments. Last year, the vendor made available its VirtualShield, which is specifically designed for VM-to-VM traffic-flow analytics and enforcement.

DIG DEEPER
VIRTUAL RISK
Don't rush into virtualization without fully considering its impact on your information protection practices.
These are the types of security challenges that companies turning to virtualization need to be prepared for. "Most companies, when they started down this path, did so for their lab and testing systems. They found they could save some money and get additional business agility," says Kurt Roemer, chief security strategist at Citrix Systems. "But they didn't ask how virtualization would change their existing network infrastructures. The traditional controls are now abstracted."

That has security pros and audit teams a bit prickly. "They want to see how these virtualized environments will function and deliver the same security posture, availability, latency, and deliver on the SLAs that they enforced prior to moving to virtualization," says Chris Hoff, chief architect of security innovation at Unisys.

diagram: Virtualized Security In The Data Center

(click image for larger view)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll