Virtualization Security: Focus On The Fundamentals - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
2/17/2010
10:53 AM
50%
50%

Virtualization Security: Focus On The Fundamentals

Virtualization security remains a major concern for many companies. While new tools play an important part in solving this problem, so does a straightforward, back-to-basics approach to server security.

Virtualization security remains a major concern for many companies. While new tools play an important part in solving this problem, so does a straightforward, back-to-basics approach to server security.According to one recent survey, 17 percent of IT exeucitves see security concerns as the biggest stumbling block for server virtualization projects. At the same time, security experts continue to discover ways that theoretical virtual-server attacks can evolve into real-world threats: At ShmooConearlier this month, security pros had a chance to get an up-close-and-personal look at one of the newest, previously unreleased exploits for the virtualized server environment. While not quite a zero-day vulnerability (the researchers worked directly with VMware before releasing details), the directory traversal exploit against VMware Server and ESX/ESXi is still catching virtual server admins with their pants on the ground.

Justin Morehouse and Tony Flick's presentation, "Stealing Guests...theVMware Way," detailed the attack and included an easy-to-use tool that would allow an unauthenticated attacker to download any guest virtual machine from an affected system. Even without the tool, the attack was simple enough to carry out with a Web browser -- throw in a quick search with Shodan, and well, you know what they say about "idle hands." DarkReading contributor John Sawyer offers some advice for companies looking to stay ahead of virtualization security risks. First, he notes, IT admins need to focus on the same fundamentals that apply to all server security efforts: "Just like physical servers and networks, virtual systems need security controls to protect and monitor sensitive data to make sure it's not being leaked, intentionally or unintentionally."

A growing number of vendors now offer security software and dedicated appliances that integrate with hypervisors. These products, says Sawyer, allow admins "to regain the visibility and control of traffic that is lacking in most virtualized server environments." As a result, they offer improved security yet rely upon the same rule-based implementations employed in physical security tools.

Don't Miss: NEW! Virtualization How-To Center

Sawyer also says this is a good time to remind IT admins about the importance of "solid system hardening practices" in both physical and virtual server environments. System hardening guides for many prominent virutalization platforms, including VMware, Xen, and Hyper-V offer a good place to get acquainted with this process.

Warning IT departments against complacency might seem unnecessary. Real-world experience, however, suggests that too many companies still see virtualization technology as a solution to their server security concerns.

"In the end," Sawyer concludes, "they're all servers -- and someone somewhere is going to want to break into them." The only question is whether your company's IT staff will have the tools and the knowledge required to stop them.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll