Virtualization Has A Security Blind Spot - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:45 PM

Virtualization Has A Security Blind Spot

Along with the flexibility and agility gained through virtualization comes a loss of visibility into network traffic.

The race is on. As organizations successfully slash the costs associated with buying, powering, and maintaining physical servers by embracing virtualization, are they leaving their systems vulnerable? Maybe so. Companies' efforts to virtualize are moving beyond the simple consolidation of servers and applications to fewer physical boxes, but there's an additional risk that can parallel the reward. And the risks lie not only where many might suspect--with the hypervisor or virtualization software itself--but also with the impact virtualization can have on traditional network and security controls.

InformationWeek Reports

Virtualization software, primarily the hypervisor, is no different than any other software application: It's bound to have defects and security bugs. What sets hypervisors apart is the risk of so-called "hyperjacking," a successful attack that leads to a compromised hypervisor, giving an attacker unfettered access to all virtual machines on the physical server. This could be quite the compromise, given that anywhere from a handful to dozens of VMs could be running on a single host.

While the consequences of a compromised host can be dire, it's generally thought that the vulnerabilities of the hypervisor are the least of a security professional's worries. "Virtualization security has nothing to do with the security of the hypervisor," says Andreas Antonopoulos, an analyst at Nemertes Research. "It has to do with the fact that we're fundamentally changing the IT architecture, operational patterns, deployment life cycles, and management methods of our servers. These issues will create more security issues for organizations than the hypervisor itself."

Along with the flexibility and agility gained through virtualization comes a security blind spot--the loss of visibility into network traffic. "You lose granularity on the network traffic between your virtual servers because that traffic never leaves the physical box, and your traditional security tools won't be able to analyze the traffic," says Lloyd Hession, an independent IT security consultant and former chief information security officer at financial network services firm BTRadianz.

Five Laws Of Virtualization Security
1 All existing OS-level attacks work in the exact same way
2 The hypervisor attack surface is additive to a system's risk profile
3 Separating functionality and/or content into virtual machines will reduce risk
4 Aggregating functions and resources onto a physical platform will increase risk
5 A system containing a trusted virtual machine on an untrusted host has a higher risk level than a system containing a trusted host with an untrusted VM
  Data: Burton Group
This lack of visibility into virtual network traffic is only likely to grow more troublesome as organizations move beyond simply stuffing less-than-mission-critical systems onto fewer physical hosts. More companies are beginning to manage more virtualized servers in the data center, and these servers are running mission-critical applications. Research firm IDC predicts that companies will invest nearly $11.7 billion in virtualization services by 2011, up from $5.5 billion in 2006.

Consider the experience of health care industry software services provider Quantros, which provides hospitals and health care providers with on-demand software that helps manage patient safety tracking, accreditation, and compliance. Last year, the company began investigating ways it could revamp its then-aging network. "Our network was expanding, and it was becoming cost-prohibitive to keep adding new physical servers," says Bryan Rood, director of Internet data center services at Quantros.

To help save costs while expanding its network, Quantros turned to VMware's ESX server virtualization platform to virtualize a number of its Web and development servers. "This was an ideal area of our infrastructure to start, and there was a strong business case for virtualizing these systems," Rood says.

Following the initial success, more virtualization efforts got under way, including virtualizing systems used for quality assurance. It soon became clear that Quantros' servers, which today consist of 55 physical and 40 virtualized servers, faced security challenges. First, traditional network-based intrusion-prevention systems wouldn't be able to protect multiple virtual servers on a single host from attacks on each other. And maintenance and patching cycles grew challenging, as they always do. Also, considering the ease at which virtual servers can be dispatched, Rood needed a way to make sure each virtual system adhered to the company's strict security and patch-level policies.

Quantros turned to Blue Lane Technologies and its ServerShield, which not only successfully identified and protected Quantros' physical severs, but all of the virtualized instances on those servers as well, Rood says. Blue Lane, which has its roots as a virtual patch proxy, is enhancing its technology to better protect virtual environments. Last year, the vendor made available its VirtualShield, which is specifically designed for VM-to-VM traffic-flow analytics and enforcement.

Don't rush into virtualization without fully considering its impact on your information protection practices.
These are the types of security challenges that companies turning to virtualization need to be prepared for. "Most companies, when they started down this path, did so for their lab and testing systems. They found they could save some money and get additional business agility," says Kurt Roemer, chief security strategist at Citrix Systems. "But they didn't ask how virtualization would change their existing network infrastructures. The traditional controls are now abstracted."

That has security pros and audit teams a bit prickly. "They want to see how these virtualized environments will function and deliver the same security posture, availability, latency, and deliver on the SLAs that they enforced prior to moving to virtualization," says Chris Hoff, chief architect of security innovation at Unisys.

diagram: Virtualized Security In The Data Center

(click image for larger view)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Why IT Leaders Should Make Cloud Training a Top Priority
John Edwards, Technology Journalist & Author,  4/14/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Lessons I've Learned From My Career in Technology
Guest Commentary, Guest Commentary,  5/4/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll