Securing a virtualised environment

Virtualised client server technology is riding high at the moment, with its potential to increase efficiency and reduce costs making it seem an attractive option for many CIOs. But is security in danger of getting left behind in the race to save money?

Virtualised client server technology is riding high at the moment, with its potential to increase efficiency and reduce costs making it seem an attractive option for many CIOs. But is security in danger of getting left behind in the race to save money?

Although virtualised computing environments are a relatively new phenomenon on PCs, the idea of a multi-user graphical user interface environment can be traced back to 1984, when the Massachusetts Institute of Technology developed the X-Windows concept, a client server technology with several clients feeding off a central server environment.

And before X-Windows, mainframes partitioned several applications so they could be run simultaneously without interfering with one another.

Central to virtualisation is the idea of network transparency. This means that client application programs can execute from a different operating system to the machine they are running on.

In simple terms, this allows an Intel-based terminal to act as a client to an Intel-based central server, but to run Unix, Linux and OS X applications in parallel with Windows software on the local client machine.

Although Unix and Linux-based virtualised environments are popular, a growing number of virtualised system users run VMware, a proprietary virtualisation environment for x86-compatible computers.

Using a combination of VMware's workstation and server software, it is possible for users to run multiple applications on multiple operating systems using a local display machine.

Because each user is effectively using a central multi-tasking environment, dynamic load-sharing becomes possible, making the whole platform much more efficient.

But what about security in a virtualised environment? According to Gartner, although virtualisation offers large organisations the opportunity to reduce costs and increase their overall IT agility, if the implementation process is carried out without using IT security best practices, it can actually increase costs and reduce an organisation's IT efficiency.

In his presentation at a Gartner symposium on virtualising security held in San Francisco in April, Neil MacDonald, a Gartner vice-president, said that regardless of the specific architecture involved, the process of virtualisation uses a privileged layer of software.

If this privileged layer is compromised, it places all applications running in the virtual environment at risk. "Virtualisation, as with any emerging technology, will be the target of new security threats," he said.

"Many organisations mistakenly assume that their approach to securing virtual machines will be the same as securing any operating system and, as a result, plan to apply their existing configuration guidelines, standards and tools.

"While this is a start, simply applying the technologies and best practices for securing physical servers will not provide sufficient protection for virtual machines," he said.

According to MacDonald, because of the rush to adopt virtualisation for server consolidation efforts, many IT security issues are overlooked. Best practices are not applied, or in some cases, the tools and technologies for addressing security issues are either immature or non-existent.

As a result, in his March 2007 report, Security Considerations and Best Practices for Securing Virtual Machines, MacDonald predicted that, until 2009, 60% of virtual machines will be less secure than their physical counterparts.

Against this backdrop, MacDonald argued that the process of securing virtual machines must start before deployment. Using this approach means that both security and securability can be factored into the evaluation and selection process.

During this process, Gartner believes that organisations should consider several security issues surrounding virtualisation, including:

● Virtualisation software, such as hypervisors, represents a new layer of privileged software that will be attacked and must be protected.

● The loss of separation of duties for administrative tasks can lead to a breakdown of defences.

● Offline virtual machines and virtual machine appliance images must be patched, and signatures must be updated and protected from tampering.

● Virtual machine appliances where the underlying operating system and configuration are not accessible must be patched and secured.

● Access to inter-virtual machine traffic for inspection by intrusion-prevention systems may be limited.

● Mobile virtual machines require security policies and settings to migrate with them.

● Immature and incomplete security and management tools will represent an administration challenge.

MacDonald said that organisations need to pressure security and virtualisation suppliers, as existing virtualisation products address some of these gaps, but not all. Perhaps more worryingly, he said that it will take several years for the tools and suppliers to evolve and for organisations to mature their processes and staff skills.

According to MacDonald, knowledge of the security risks - as well as the costs of addressing them - must be factored into the cost-benefit discussion of virtualisation. "If these added costs are avoided, the risk of not making the necessary security investments must be accepted by the decision maker in the move to virtualisation," he said.

Perhaps surprisingly, once you start to move outside the more obvious network-based systems such as a unified threat management (UTM) appliance, the number of security applications developed specifically for virtualised environments is quite small.

According to Christofer Hoff, senior security strategist with network security specialist Crossbeam Systems, traditional UTM appliances - even those that are scaled up for use in enterprise applications - are not the way to go for virtualised environments.

Hoff told the Infosecurity Europe show in April that the best way to protect a virtualised system is to integrate the security into the virtual server environment.

Hoff's approach is to run a baseline Linux environment on an X series rack-mounted system and then run a number of security applications within the virtual environment itself, rather than as an external protection system.

Hoff argued that this approach is far more effective in terms of protecting all aspects of the virtualised environment than using a traditional UTM or similar appliance methodology.

What is interesting about Hoff's approach is that it flies in the face of conventional wisdom when it comes to protecting enterprise environments.

Several suppliers have developed scalable and hybrid UTM appliance technologies to cater for 1,000 and even 2,000 connected users, but they all tend to take a perimeter-based approach to the problem of security.

However, to protect a virtualised environment effectively, IT managers must take an integrated approach to the problem.

But there are other approaches to effectively securing a virtualised environment, whether VMware-driven or otherwise.

Speaking at Infosecurity Europe, Carlos Solari, vice-president of Alcatel-Lucent's Bell Labs, said that creating an effective security system for a virtualised environment is about breaking down the various threats to the overall system into individual components.

"You have to take an audit and planning approach, so that you can conduct the necessary risk analysis of the threats facing your virtualised systems," he said. Only once this is done can an IT manager set about implementing a security system that caters to their own specific needs, Solari said.

Before joining Bell Labs, Solari was CIO at the White House. He was charged with protecting the IT systems of the US president and his senior colleagues. Although reticent to talk about his time there in detail, Solari said that performing an effective risk analysis on an enterprise system - and not just a virtualised environment - is a must-have element of the IT security planning process.

"If you rely purely on supplier's products without fundamentally understanding how they work and how they fit in with your IT systems, you may be opening yourself up to unknown security threats," he said.

It is clear that implementing effective IT security in a virtualised environment is still very much in its infancy. This is hardly surprising given that virtualisation technologies are still at an early stage in their lifecycle.

Despite this, it is obvious that a perimeter-based approach to security in a virtualised environment is only part of the answer. Hoff's approach of running the virtualised environment as an overlay to a secured Linux platform appears the most innovative approach to the problem.

This is because it allows security software from many suppliers to run quite happily in their own operating system bubbles, yet also interface directly with the virtualised environment across a network connection processed via the underlying Linux platform.

But how can you effectively protect the underlying Linux environment? Current security technology can be used, but what about unknown threats?

Behavioural analysis technology, such as that pioneered by Tier-3 with its Huntsman platform, may be one answer, but it is clear that the issue of securing virtualised environments requires an integrated multi-product and multi-supplier approach, as traditional systems are never going to be enough.

● This article was originally published in Infosecurity Magazine

Users slam lack of virtual apps support >>

Ovum: virtualisation key to success >>

Mainstream virtualisation requires new IT processes >>

Users slam lack of virtual apps support >>

Application virtualisation 'gaining acceptance' >>

EMC extends storage management support to virtualised environments >>

Storage virtualisation is no silver bullet, users say >>

Read more on IT risk management