Virtualised client server technology is riding
high at the moment, with its potential to increase efficiency and
reduce costs making it seem an attractive option for many CIOs. But
is security in danger of getting left behind in the race to save
money?
Although virtualised computing environments are a relatively new
phenomenon on PCs, the idea of a multi-user graphical user
interface environment can be traced back to 1984, when the
Massachusetts Institute of
Technology developed the
X-Windows
concept, a client server technology with several clients feeding
off a central server environment.
And before X-Windows, mainframes partitioned several
applications so they could be run simultaneously without
interfering with one another.
Central to virtualisation is the idea of network transparency.
This means that client application programs can execute from a
different operating system to the machine they are running on.
In simple terms, this allows an
Intel-based terminal to act as a client to an Intel-based
central server, but to run Unix, Linux and OS X applications in
parallel with Windows software on the local client machine.
Although Unix and
Linux-based virtualised environments are popular, a growing
number of virtualised system users run VMware, a proprietary
virtualisation environment for x86-compatible computers.
Using a combination of
VMware's workstation and server software, it is possible for
users to run multiple applications on multiple operating systems
using a local display machine.
Because each user is effectively using a central multi-tasking
environment, dynamic load-sharing becomes possible, making the
whole platform much more efficient.
But what about security in a virtualised environment? According
to Gartner, although virtualisation offers large organisations the
opportunity to reduce costs and increase their overall IT agility,
if the implementation process is carried out without using IT
security best practices, it can actually increase costs and reduce
an organisation's IT efficiency.
In his presentation at a Gartner symposium on virtualising
security held in San Francisco in April, Neil MacDonald, a Gartner
vice-president, said that regardless of the specific architecture
involved, the process of virtualisation uses a privileged layer of
software.
If this privileged layer is compromised, it places all
applications running in the virtual environment at risk.
"Virtualisation, as with any emerging technology, will be the
target of new
security threats," he said.
"Many organisations mistakenly assume that their approach to
securing virtual machines will be the same as securing any
operating system and, as a result, plan to apply their existing
configuration guidelines, standards and tools.
"While this is a start, simply applying the technologies and
best practices for securing physical servers will not provide
sufficient protection for virtual machines," he said.
According to MacDonald, because of the rush to adopt
virtualisation for
server consolidation efforts, many
IT security
issues are overlooked. Best practices are not applied, or in
some cases, the tools and technologies for addressing security
issues are either immature or non-existent.
As a result, in his March 2007 report,
Security Considerations
and Best Practices for Securing Virtual Machines, MacDonald
predicted that, until 2009, 60% of virtual machines will be less
secure than their physical counterparts.
Against this backdrop, MacDonald argued that the process of
securing virtual machines must start before deployment. Using this
approach means that both security and securability can be factored
into the evaluation and selection process.
During this process, Gartner believes that organisations should
consider several security issues surrounding virtualisation,
including:
● Virtualisation software, such as
hypervisors, represents a new layer of privileged software that
will be attacked and must be protected.
● The loss of separation of duties for administrative tasks can
lead to a breakdown of defences.
● Offline virtual machines and virtual machine appliance images
must be patched, and signatures must be updated and protected from
tampering.
● Virtual machine appliances where the underlying operating
system and configuration are not accessible must be patched and
secured.
● Access to inter-virtual machine traffic for inspection by
intrusion-prevention systems may be limited.
● Mobile virtual machines require security policies and settings
to migrate with them.
● Immature and incomplete security and management tools will
represent an administration challenge.
MacDonald said that organisations need to pressure security and
virtualisation suppliers, as existing virtualisation products
address some of these gaps, but not all. Perhaps more worryingly,
he said that it will take several years for the tools and suppliers
to evolve and for organisations to mature their processes and staff
skills.
According to MacDonald, knowledge of the security risks - as
well as the costs of addressing them - must be factored into the
cost-benefit discussion of virtualisation. "If these added costs
are avoided, the risk of not making the necessary security
investments must be accepted by the decision maker in the move to
virtualisation," he said.
Perhaps surprisingly, once you start to move outside the more
obvious network-based systems such as a
unified threat management (UTM) appliance, the number of
security applications developed specifically for virtualised
environments is quite small.
According to Christofer Hoff, senior security strategist with
network security specialist Crossbeam Systems, traditional UTM
appliances - even those that are scaled up for use in enterprise
applications - are not the way to go for virtualised
environments.
Hoff told the Infosecurity Europe show in April that the best
way to protect a virtualised system is to integrate the security
into the virtual server environment.
Hoff's approach is to run a baseline Linux environment on an X
series rack-mounted system and then run a number of security
applications within the virtual environment itself, rather than as
an external protection system.
Hoff argued that this approach is far more effective in terms of
protecting all aspects of the virtualised environment than using a
traditional UTM or similar appliance methodology.
What is interesting about Hoff's approach is that it flies in
the face of conventional wisdom when it comes to protecting
enterprise environments.
Several suppliers have developed scalable and hybrid UTM
appliance technologies to cater for 1,000 and even 2,000 connected
users, but they all tend to take a
perimeter-based approach to the problem of security.
However, to protect a virtualised environment effectively, IT
managers must take an
integrated approach to the problem.
But there are other approaches to effectively securing a
virtualised environment, whether VMware-driven or otherwise.
Speaking at Infosecurity Europe, Carlos Solari, vice-president
of Alcatel-Lucent's Bell Labs, said that creating an effective
security system for a virtualised environment is about breaking
down the various threats to the overall system into individual
components.
"You have to take an audit and planning approach, so that you
can conduct the necessary risk analysis of the threats facing your
virtualised systems," he said. Only once this is done can an IT
manager set about implementing a security system that caters to
their own specific needs, Solari said.
Before joining Bell Labs, Solari was CIO at the White House. He
was charged with protecting the IT systems of the US president and
his senior colleagues. Although reticent to talk about his time
there in detail, Solari said that performing an effective risk
analysis on an enterprise system - and not just a virtualised
environment - is a must-have element of the IT security planning
process.
"If you rely purely on supplier's products without fundamentally
understanding how they work and how they fit in with your IT
systems, you may be opening yourself up to unknown security
threats," he said.
It is clear that implementing effective IT security in a
virtualised environment is still very much in its infancy. This is
hardly surprising given that virtualisation technologies are still
at an early stage in their lifecycle.
Despite this, it is obvious that a perimeter-based approach to
security in a virtualised environment is only part of the answer.
Hoff's approach of running the virtualised environment as an
overlay to a
secured Linux platform appears the most innovative approach to
the problem.
This is because it allows security software from many suppliers
to run quite happily in their own operating system bubbles, yet
also interface directly with the virtualised environment across a
network connection processed via the underlying Linux platform.
But how can you effectively protect the underlying Linux
environment? Current security technology can be used, but what
about unknown threats?
Behavioural analysis technology, such as that pioneered by
Tier-3 with its Huntsman platform, may be one answer, but it is
clear that the issue of securing virtualised environments requires
an integrated multi-product and multi-supplier approach, as
traditional systems are never going to be enough.
● This article was originally published in
Infosecurity Magazine
Users slam lack of
virtual apps support >>
Ovum: virtualisation key
to success >>
Mainstream virtualisation requires new IT processes
>>
Users slam lack of virtual apps support
>>
Application virtualisation 'gaining acceptance'
>>
EMC extends storage management support to virtualised
environments >>
Storage virtualisation is no silver bullet, users say
>>