Security Think Tank: What are the major security issues surrounding virtualisation?

Virtualisation and security: In what ways is virtualisation helping and hindering enterprise security? What are the security opportunities of virtualisation that should not be missed and what are the security pitfalls that are best avoided?

Virtualisation and security: In what ways is virtualisation helping and hindering enterprise security? What are the security opportunities of virtualisation that should not be missed and what are the security pitfalls that are best avoided?


Regulatory constraints affect virtual machine mobility

Today the typical Gartner client relies on many physical infrastructure-based security practices in an increasingly virtualised world, writes Chris Wolf, research vice-president at Gartner. The reason most cited is the perceived overall lack of maturity in purely software-based virtualisation isolation mechanisms, as well as concerns over security policy or regulatory constraints.

Security zoning is often done via isolation at the physical cluster level to isolate zones of trust (e.g., internal trusted zone and a demilitarised zone [DMZ]). Many organisations use VLANs and other soft mechanisms (e.g., virtualisation security features and virtual security appliances) to isolate security subzones (e.g., internal departments). We have seen a good deal of interest in VMware's vShield product line. However, most customers still perceive the technology as "1.0" and are waiting out further maturity before trusting vShield technologies to isolate zones of trust.

Regulatory constraints (e.g., PCI or HIPAA) often determine where data can be located and processed, as well as how it should be isolated. As a result, regulatory constraints have a huge impact on virtual machine (VM) mobility and cloud placement decisions. On security audit and compliance, organisations should not just trust what a provider says about compliance, but work with security auditors to determine acceptable boundaries for mobility and isolation. Operations teams rarely like the constraints auditors place on them, but such restrictions are necessary to mitigate risk and remain compliant.

Data export restrictions are also a common use case for internal cloud infrastructure. Many organisations are concerned about having any sensitive data leave the walls of their datacentres. Consequently, VMs connecting to sensitive data are often tethered to the datacentre that hosts the data.

One final server virtualisation security concern is with virtual network integration capabilities and security monitoring/enforcement solutions such as IDS or IPS. Not all virtual switches support promiscuous monitoring. That is the case with Hyper-V today. So if a VM is converted from vSphere to Hyper-V, for example, virtual appliance-based promiscuous network monitoring capabilities would be lost. Such capabilities are often most important to customers that run multiple security zones on shared hardware and are not relevant to all organisations.

We remain in a state of transition when it comes to server virtualisation security. Solutions are emerging and it's a great time to work with these solutions in test, development, training and non-critical environments. That will allow the organisation to build the institutional knowledge needed to leverage these emerging solutions once the organisation's security team is ready for production roles. Software and virtual-based security solutions are the way forward because they are required for VM mobility to be efficient at a large scale.

Organisations will continue to leverage a layered approach to security, with physical network-based security, virtual infrastructure-layer security, and host-based security deployed to VM guest operating systems. However, while trying to align traditional physical infrastructure security practices to virtual infrastructure may be effective, it will come at a higher cost.

Continued pressure to reduce IT operational costs combined with greater product maturity and mobility (e.g., hybrid cloud) will inevitably result in broader scale adoption of software-based security solutions that plug directly into the virtual infrastructure.


Pay attention to hypervisor security and change control

Various studies show that an average utilisation of a typical server running on a dedicated HW is between 11-15% - so no wonder that datacentre virtualisation is a hit for any CIO wanting to save costs and gain green credentials, writes Vladimir Jirasek, director of communications, CSA UK & Ireland and project lead CAMM. Two of the biggest cloud providers (Amazon and Microsoft) use virtualisation to serve millions of clients.

From security point of view, all traditional security controls that a diligent security professional would apply to dedicated HW systems are still relevant in the virtualisation world. There are, however, some that stand out as more important: hypervisor security, change control, and maintaining security posture for offline images and templates.

The hypervisor is a piece of code that typically runs on bare metal as slim OS and emulates HW layer for guest operating systems. Any security problem in the hypervisor can have disastrous consequences for all guest operating systems. To date, there have been few vulnerabilities in the hypervisors, however security architecture should never rely on one control. Hence admins should be careful when mixing guest OS of hugely different security classifications, unless there are other controls preventing a compromise.

On plus side, hypervisor is the best place to perform various security controls, such as inter guest OS firewall, host anti-malware control and in-hypervisor intrusion detection. These benefit from being isolated from the guest OS, hence working independently if a guest OS is compromised.

Change control: With physical HW installations, it takes days or weeks to get HW ordered, racked and stacked, OS installed and ready to use. In virtual environment that is already setup, this can take minutes. There is nothing new to install into the datacentre. Your typical administrator has power to create many Guest OS within minutes either for himself or for an eager project manager wiling to cut corners. Without proper change control and independent checks, the risk of malicious use of virtualisation or spawn of undocumented systems can harm the organisation. A segregation of duties between various IT roles is needed to prevent such an uncontrolled use.

Offline images and templates: The speed of virtualisation is made possible by preparing offline templates of Guest OS in advance which then can be used for new systems. These offline images must be patched regularly to make sure new systems are up to date from the first power on. Make sure the patching and configuration systems can handle these offline images.

In summary, DC virtualisation has great benefits and is good for green and cost effective IT. However, CIOs should be aware that with greater powers come greater responsibilities and they should demand better controls from their IT and security professionals.


Virtualisation infrastructure needs to be configured securely

Virtualisation offers enormous benefits and opportunities from security, business continuity and management, writes Kevin Wharram member of London Chapter ISACA Security Advisory Group. However, the virtualisation infrastructure needs to be configured correctly, securely and have the right processes and controls in place to realise the benefits and opportunities.

In a recent study commissioned by Gartner, 60% of virtualised servers will be less secure than the physical servers they replace through 2012.

Very few organisations have a formal security strategy for virtualisation, as they think virtualisation does not require a specialised strategy. That is dangerous as virtualisation opens the enterprise to newer threats that were absent in physical systems.

Organisations need to ensure they have good information security practices and processes in place and ensure that these practices are adequately extended to address the virtual environment. Virtualisation changes the way their infrastructure is architected. This means that some of their systems have to be re-configured to address the new architecture. Organisations need to ensure that the old network restrictions are configured for the new virtual networks as well.

In a virtualised environment, lots of traffic might occur within the hypervisor without ever making it to the protected and secured physical network with intrusion detection systems, malware scanners, etc. This is dangerous unless these security systems are configured to protect the virtual networks as well. Additionally, most enterprises have VLANs in place to separate the data of departments and key personnel (primarily to take care of various government regulations).

The ease of virtualisation leads to an increased number of virtual machine instances which, if not controlled correctly, leads to "server sprawl". Other issues concern possible data breaches, whereby data which once resided in secure environments could be inadvertently moved into an insecure environment by the touch of a button. The biggest threat in the virtual environment is down to configuration and controls; this is usually due to a lack of education, segregation of duties and lack of processes and controls.

The key points to take away from this article is that threats lie primarily with the lack of understanding of technologies that enable virtualisation and associated risks. Most of the threats can be mitigated with policies governing access control, audit, and configuration.


Don't overlook the patching needs of virtual platforms

Virtualisation skills are in demand, reflecting a significant shift in enterprise computing, writes Patrick Tarpey, active volunteer and expert with (ISC)2. Offering fast deployment, demand scalability, efficiency and high availability it is little wonder businesses are dispensing with the traditional carbon-hungry datacentre model and adopting virtualisation.

The patching requirements of the virtual platform are all too easy to overlook, with IT management and support concentrating their patching efforts on the guest operating systems. Whilst the underlying virtualised platform offers a minimalist environment with an equally small attack surface, a security compromise or failure can have devastating consequences. For example, attackers who have gained access to either virtualisation platform or management interfaces can snapshot, copy (steal), delete and stop guest operating systems at leisure.

For both stability and security, it is advisable to consider your virtual platform no differently from your traditional guest operating systems running on top. Administrative interfaces are also a key consideration, particularly management console software running on support workstations or dedicated servers. Surfing the web from virtual management server consoles should be strongly discouraged as this opens a large attack vector that, if exploited, can compromise the virtual environment.

The networking of the virtual environment can offer some challenges, particularly on Internet facing systems. Whilst virtual networking often uses differing sub-nets or VLANs segmenting guest operating systems from the internal network, the virtualisation management network should be subjected to equally robust security and network monitoring, ideally with similar segmentation and secure authentication.

Virtual machines can make an excellent environment in which to study the effect of malicious code or to facilitate controlled forensic investigations. There is evidence to support that malware developers are increasingly incorporating VM-aware routines to thwart such analysis. In some cases, it might be necessary to revert to a physically separate environment to perform analysis to be certain that VM aware malware is not cloaking or hiding its presence.

Virtualised desktops and servers allow the speedy rebuild of environments compromised by malware infection. It is equally important for IT managers to keep the base builds up to date and maintained, otherwise the inadvertent redeployment of vulnerable operating system images into a live environment is possible.

Virtualisation offers many benefits but like any other technology needs the same security rigour and routine maintenance.


Make sure the hypervisor is secure and duties segregated

Server virtualisation which, as we all know, enables organisations to create one or more discrete environments on a single physical server is built from three main components: a physical server; software called a hypervisor; and one or more virtual servers, writes Adrian Davis, ISF principal research analyst. How organisations deploy servers will impact their software and hardware choices. ISF members typically deploy Type I hypervisors to ensure the availability of critical business applications; Type II hypervisors are used to provide IT agility and flexibility.

The ISF - working with its members - has identified five major security benefits, which are: improving the availability of critical systems; simplifying server deployment; streamlining patch management; providing effective test environments; and increasing the availability of legacy systems. However, there is a downside. We have identified five security issues, namely: single point of failure at the hypervisor or the hardware; poor configuration; difficulty in monitoring traffic; lack of hypervisor protection; and lack of segregation of duties on the hypervisor. These threats are in addition to the typical threats to physical servers (including hardware malfunction, loss of power and malware infection).

Key responses should include: establishing a policy that restricts the use of virtual servers; limiting the number of virtual servers that can run on a single physical server; and controlling the number of critical business applications can be run on a single physical server.

Each virtual server should be protected in the same manner as an individual physical server, applying access controls, deploying patches and regularly backing up information. Special attention should be paid to protect the hypervisor by restricting access, controlling privileges and prioritising software patches.


Ensure the host operating system is fully patched and secured

The last decade has enjoyed aggressive growth of virtualised platforms, driven by the motivation to cut the stack of tin boxes, and to minimise the physical footprint of servers sitting on the floors of datacentres, writes John Walker, London Chapter ISACA Security Advisory Group and director of communications common assurance maturity model. There are of course a number of other clear advantages to be gained with virtualisation in the form of flexibility, and of course some spin in the area of greenness. However on moving over to virtual desktops and servers, there is a need to part rethink the security technological strategy to ensure the facets of security are aligned to good security practice.

The first obvious aspect to cover is to decide just how virtualisation fits in with the technical, or more the case, the business strategy, and to clarify what the overall objective is to delivering these soft image based systems. Well starting with a security value-add, consider the organisations who wish to secure their information assets under a robust and secure centralised storage framework. Enter virtualisation - by leveraging a VDI approach to say the mobile and home working employees, interfaced with the disciplines of secure authentication, and secure tunnelling. In this way it is possible to provision remote users to interface with, and process the companies valuable, and sensitive information assets, whilst at the same time assuring that they are only written to secure, company side servers, leaving the endpoint computer free of any information footprint.

With this approach, and of course, bandwidth allowing, the organisation may decide extend this external model to encompass the entire desktop estate to operate under the same set of logical policies - enforcing centralised, secure storage of all information assets. However, to get the topic back on track, what about the wider implications of securing the virtualised estate.

First and foremost, and let us be very clear here, when deploying virtualised system, be they desktop, or served-based, they should be considered as systems satisfying the same need as their tin-based relations, but with a requirement for a slightly different approach when it comes to provisioning security. It may also be a good time to stress that, such is the importance of this area of security the PCI-DSS Standards Council has recently delivered an advisory document covering this very subject.

At this juncture it may also be prudent to clarify that, any virtualised environments running on a host operating system, are working under privileged conditions, interfacing at kernel level of the host OS. Thus any breakout from the perceived sandboxed VM world, allowing direct interface at, what is often termed Ring 0, could have significant implications on the underlying security model of the operational estate - so take care this is done right!

One very key aspect of any security strategy is to assure the OS is fully patched and secured. However, with the virtual environment this needs to be assured at both the host environment, as well as that of the virtual world, being presented to the users, applications, and of course other network connections.

There is also the requirement to ensure that the Physical, and Virtualised environments enjoy a segregated consideration at both network layer, as well as those higher level administrative tasks - after all, one should seek to keep these disparate trusted environments in their own operational ring-of-trust worlds.

Another challenge is that of assuring that the off-line images are maintained in a fully patched, and anti-malware protected condition - the last thing that the users want to encounter is, to have their VM spin up, only to have it get busy for half an hour whilst it updates the various security components - this does not do a lot to enhance the reputation of IT.

And having mentioned anti-malware, it is worth mentioning that, as with any other technology, the bad guys are out with their Advanced Evasion Techniques (AET) in their attempts to compromise this popular image based environment. Here we are likely to encounter new age VM aware Malware in the form of Virtual Rootkits, VAM (Virtualisation Aware Malware), VMBR (Virtual Machine Based Rootkits), and HVMR (Hypervisor Virtual Machine Rootkits). So as you can see, just because its virtual does not remove the bad stuff.

To conclude, the virtualised world of computing dictates that it be approached with a required level of respect to assure it serves the organisation well. Do it right, and it can be a blessing. Do it wrong and...


Vulnerabilities lie in complexity of different operating systems

Is the move to virtualisation a security help or a hindrance, or is it neutral, asks Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. The first thing to remember is that virtualisation is not new, it's been with us for a very long time, remember the days when the mainframe ruled supreme. All the mainframe vendors had a VM offering with IBM's VM probably one of the best known.

The biggest security pitfalls with virtualisation today on Intel/AMD/Compatible server platforms is that a VM product has to be able to (a) support a number of differing OSs (e.g. Windows, Linux & Unix) and differing OS distributions (e.g. Linux distributions), (b) support a number of different CPUs and support chips (e.g. a constantly evolving server architecture) and (c) interwork with a number of differing third party security products. All of these variables tend to mitigate against the development of a maturing and secure VM product space.

Will we ever get virtualisation technologies to the same level of maturity and security of mainframe products? Currently I believe that the jury is out. One thing the mainframe vendors had was full control over their space and so did not encounter the same problems that today's VM venders face. All that said, there is far greater use of VM technology today which does bode well for the future but for the moment careful selection of server hardware, OS, VM technology and other products is a must.

So are there any positives to the use of virtual technology?. In the security world there is one very big positive and that is in disaster recovery in that if you have a VM image of a server, it will run on any VM providing the basics are met (e.g. CPU power, RAM and disk size), there being no need to recompile for different hardware. The other security benefit deriving from the use of VM technology is in the area of availability where a VM product is able to dynamically adjust resource to meet load requirements, or even to move a service from one servers to another. And my view of VM, it's neutral

Read more on IT risk management