How secure is the current practice in virtualisation?
The stampede to employ virtualisation sees no sign of waning in 2009, writes Raj Samani, vice-president of communications at ISSA UK.
Gartner has ranked virtualisation as the number one strategic technology for 2009 and many corporations have already implemented it on the back of green datacentres (reducing footprint and power). This trend will continue, with a recent survey of 200 IT decision makers stating that 90% of respondents will be using desktop virtualisation within five years.
However, by employing virtualisation within your organisation are you "absolutely deluded, if not stupid," as OpenBSD project leader Theo de Raat claims? Such delusion is apparently borne from consumers assuming that software engineers, who are unable to produce operating systems or applications without security holes, can suddenly produce virtualisation layers without security holes.
This is supported by Gartner. The prediction for 2009 is that 60% of production virtual machines will be less secure than physical systems. This is largely due to:
Lack of discipline - Virtual machines can take minutes to create. This results in systems spread across the enterprise that add time delays to the application of security basics (eg. patching), or simply being forgotten about. The patching of systems also applies to the Hypervisor - this is the host operating system upon which the virtual machines run.
New vulnerabilities - Potential attackers invariably focus their attention on popular technologies. With the inevitable march towards virtualisation comes the inevitable effort to find ways to break in. An example of this was IBM reporting that of the 100 flaws identified in a popular VM vendor, between 1999 and 2006, three-quarters were found between 2004 and 2006.
Single points of failure - With many systems running on one physical device, hardware failure, for example, will result in a single point of failure for these many systems.
To avoid falling for the same pitfalls, the keyword is planning. Ensure that the security policy is updated to include virtualisation, and that administration of virtual machines is considered both from a personnel and a technical perspective.
Thereafter treat the virtualised migration much like the rollout of new physical devices. Just because you cannot see it and touch it, it does not mean the risks are not out there.
Read more expert advice from the Computer Weekly Security Think Tank >>
This was first published in January 2009