Securing virtual machines still a dark art, says Kaspersky Lab

Five common myths about virtualisation security is preventing businesses getting the greatest benefit with the least risk

Virtualisation is becoming a core part of mission-critical IT infrastructure, yet securing a virtual network is still a dark art, says David Emm, senior security researcher at Kaspersky Lab.

“All too often businesses apply security measures developed for physical machines, which can leave the business exposed to a whole raft of risks,” he said.

Despite the reliance on the virtualised environment moving the issue of securing it up the business agenda, Emm said five common myths, or misconceptions, continue to put organisations at risk.

Myth 1: I do not need additional security. The endpoint security software I use to protect my PCs, mobile devices and servers can protect my virtual environment too.

This is a very common perception, and can be the root cause of many challenges that IT departments face while trying to secure their virtual network, said Emm.

“Most traditional endpoint security systems are not virtual-aware. So while they may provide the same protection they deliver on physical systems, they do so at the expense of performance – for example, having to download updates separately for each and every virtual machine,” he said.

Myth 2: It may not be perfect, but my existing anti-malware does not interfere with the operations of my virtual environment.

Traditional endpoint security uses an agent-based model where each physical and virtual machine gets a copy of the security program’s agent and this agent communicates with the server while performing its security tasks.

“This works fine for physical machines, but if you have 100 virtual machines, this means you have 100 instances of this security agent, plus 100 instances of its malware signature database running on a single virtual host,” said Emm.

“This high level of duplication impacts performance, wastes storage capacity and can result in a time-lag between boot-up and protection of the virtual machines.

“The reality is that existing anti-malware does interfere with the working of the virtual environment, and performance issues can create security gaps that did not exist before,” he said.

Myth 3Virtual environments are inherently more secure than physical environments.

“This is not true. Remember, virtualisation is designed to allow software, including malware, to behave as it normally would.

“In the end, malware writers will target any and all weak points in a business network to accomplish their criminal goals. As virtual networks become hosts for more critical business operations, the bigger the target they will become,” said Emm.

He points out that the data held on virtual networks is the same as it was on physical machines. 

“Virtual machines may be gateways to a server, or the server itself may be a virtual machine. Either way, the cyber criminals want access to the data,” said Emm.

If an attacker compromises one virtual machine, he said it is possible for them to replicate their code across all virtual machines on the same physical server, further maximising their opportunity to steal important business data. 

Myth 4: Using non-persistent virtual machines is an effective way to secure my network.

While this makes sense in theory – because any machine that encounters malware is wiped away and recreated cleanly – Emms said security firms have begun seeing malware designed to survive the tear-down of individual virtual machines by spreading across a virtual network, allowing it to return when new virtual machines are created.

As virtual networks become hosts for more critical business operations, the bigger the target they will become

David Emm, Kaspersky Lab

“If the policy allows new machines to be easily created on demand, this can also result in a virtual machine sprawl, where a virtual machine could be created and forgotten, creating the risk of unmaintained virtual endpoints operating outside an IT department’s knowledge or control,” he said.

Even if the rest of the virtual machines are secure, Emm said it is possible for one virtual machine to eavesdrop on the traffic to another, creating a privacy and security risk.

“And even a non-persistent infection can compromise sensitive information, such as a login or password, and most virtual machines are persistent servers, which means they are not shut down even in the event of a security threat,” he said.

Recent research showed more than 65% of businesses worldwide will have some form of server virtualisation in the next 12 months.

“And these servers need to be on all the time for the business to function, so the tear-down approach to security is not viable in this situation,” said Emm.

Myth 5: If I decide to use a specialised virtual security program, they are all more or less the same.

Most traditional endpoint security measures take an agent-based approach, but a virtualised environment needs flexibility to ensure total protection, according to Emm.

In many cases this will be a blend of agent-less and light-agent security, to provide advanced protection for a whole spectrum of different virtual environments – including VMware, Citrix and Microsoft.

“There is no one-size-fits-all solution and the right application, or combination of applications, depends entirely on what you are trying to protect.

“A non-web-connected server is going to have entirely different security needs to a virtual desktop or a server that manages customer information,” said Emm.

He believes the agent-less model offers performance advantages by performing security tasks away from the virtual machine. 

“This means, for example, that you only need to download antivirus updates once, for all virtual machines. 

“But there are limits to the ability of agent-less software to perform advanced security management and network-protection tasks on virtual endpoints,” said Emm.

However, he believes a light-agent model can offer the best of both worlds over existing agent-less and agent-based security models by combining centralised control with extra security features, including application controls and web usage policy enforcements.

“Specialised software and expertise is required to build and maintain a virtual network. So as virtualised environments become a standard feature of the business environment, it is critical that businesses deploy appropriate systems that allow growth, but maintain security,” said Emm.

Read more on Hackers and cybercrime prevention