Virtualization Security: Focus On The Fundamentals - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Mobile & Wireless
10:53 AM

Virtualization Security: Focus On The Fundamentals

Virtualization security remains a major concern for many companies. While new tools play an important part in solving this problem, so does a straightforward, back-to-basics approach to server security.

Virtualization security remains a major concern for many companies. While new tools play an important part in solving this problem, so does a straightforward, back-to-basics approach to server security.According to one recent survey, 17 percent of IT exeucitves see security concerns as the biggest stumbling block for server virtualization projects. At the same time, security experts continue to discover ways that theoretical virtual-server attacks can evolve into real-world threats: At ShmooConearlier this month, security pros had a chance to get an up-close-and-personal look at one of the newest, previously unreleased exploits for the virtualized server environment. While not quite a zero-day vulnerability (the researchers worked directly with VMware before releasing details), the directory traversal exploit against VMware Server and ESX/ESXi is still catching virtual server admins with their pants on the ground.

Justin Morehouse and Tony Flick's presentation, "Stealing Guests...theVMware Way," detailed the attack and included an easy-to-use tool that would allow an unauthenticated attacker to download any guest virtual machine from an affected system. Even without the tool, the attack was simple enough to carry out with a Web browser -- throw in a quick search with Shodan, and well, you know what they say about "idle hands." DarkReading contributor John Sawyer offers some advice for companies looking to stay ahead of virtualization security risks. First, he notes, IT admins need to focus on the same fundamentals that apply to all server security efforts: "Just like physical servers and networks, virtual systems need security controls to protect and monitor sensitive data to make sure it's not being leaked, intentionally or unintentionally."

A growing number of vendors now offer security software and dedicated appliances that integrate with hypervisors. These products, says Sawyer, allow admins "to regain the visibility and control of traffic that is lacking in most virtualized server environments." As a result, they offer improved security yet rely upon the same rule-based implementations employed in physical security tools.

Don't Miss: NEW! Virtualization How-To Center

Sawyer also says this is a good time to remind IT admins about the importance of "solid system hardening practices" in both physical and virtual server environments. System hardening guides for many prominent virutalization platforms, including VMware, Xen, and Hyper-V offer a good place to get acquainted with this process.

Warning IT departments against complacency might seem unnecessary. Real-world experience, however, suggests that too many companies still see virtualization technology as a solution to their server security concerns.

"In the end," Sawyer concludes, "they're all servers -- and someone somewhere is going to want to break into them." The only question is whether your company's IT staff will have the tools and the knowledge required to stop them.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll