How secure is the current practice in
virtualisation?
The stampede to employ virtualisation sees no sign of waning in
2009, writes Raj Samani, vice-president of communications at
ISSA UK.
Gartner has ranked virtualisation as the
number one strategic technology for 2009 and many corporations
have already implemented it on the back of green datacentres
(reducing footprint and power). This trend will continue, with a
recent survey of 200 IT decision makers stating that 90% of
respondents will be using desktop virtualisation within five
years.
However, by employing virtualisation within your organisation
are you "absolutely deluded, if not stupid," as
OpenBSD project leader Theo
de Raat claims? Such delusion is apparently borne from consumers
assuming that software engineers, who are unable to produce
operating systems or applications without security holes, can
suddenly produce virtualisation layers without security holes.
This is supported by Gartner. The prediction for 2009 is that
60% of production virtual machines will be less secure than
physical systems. This is largely due to:
Lack of discipline - Virtual machines can take minutes to
create. This results in systems spread across the enterprise that
add time delays to the application of security basics (eg.
patching), or simply being forgotten about. The patching of systems
also applies to the
Hypervisor - this is the host operating system upon which the
virtual machines run.
New vulnerabilities - Potential attackers invariably focus their
attention on popular technologies. With the inevitable march
towards virtualisation comes the inevitable effort to find ways to
break in. An example of this was IBM reporting that of the 100
flaws identified in a popular VM vendor, between 1999 and 2006,
three-quarters were found between 2004 and 2006.
Single points of failure - With many systems running on one
physical device, hardware failure, for example, will result in a
single point of failure for these many systems.
To avoid falling for the same pitfalls, the keyword is planning.
Ensure that the security policy is updated to include
virtualisation, and that administration of virtual machines is
considered both from a personnel and a technical perspective.
Thereafter treat the virtualised migration much like the rollout
of new physical devices. Just because you cannot see it and touch
it, it does not mean the risks are not out there.
Read more expert advice from the Computer Weekly Security Think
Tank >>