NIST issues virtualization security guidance

Share this article:
The National Institute of Standards and Technology (NIST) this week issued a guidance document for securely configuring and using virtualization technologies.

According to NIST. "full virtualization," defined as when one or more operating systems (OS) and the applications they contain are run on top of virtual hardware, provides operational efficiency but it also has negative security implications.

“Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls,” the guidance document states.

The document, called “Guide to Security for Full Virtualization Technologies,” is intended for system administrators, security program managers, security engineers or anyone else involved in designing, deploying or maintaining full virtualization technologies.

To maximize protection and keep costs as low as possible, security should be considered before installing, configuring and deploying a full virtualization solution, NIST recommended.

“Most existing recommended security practices remain applicable in virtual environments,” the document states.

As a rule of thumb, organizations must ensure that each component of a full virtualization solution is secure, NIST recommended.

This includes securing the hypervisor, a central program that runs the virtual environment, as well as the host OS, guest OSs, applications and storage. Organizations should keep software updated with security patches and use secure configuration baselines, host-based firewalls and anti-virus software or other mechanisms to detect and stop attacks.

“Organizations should have the same security controls in place for virtualized operating systems as they have for the same operating systems running directly on the hardware,” the guidance document states.  “The same is true for applications running on guest OSs.”

To ensure that the hypervisor is secured, organizations must disable unused virtual hardware and unneeded hypervisor services, such as clipboard or file sharing, NIST recommended. Also, organizations should monitor the hypervisor for signs of compromise and consider monitoring the security of each guest OS and the activity occurring among them.

Providing physical access controls for the hardware on which the hypervisor runs is also important, added the guidance document.

In addition, organizations should restrict and protect administrator access to the virtualization solution, the document states. Access to the virtualization management system should be restricted to authorized administrators only.

By 2012, more than 50 percent of enterprise data centers are expected to be virtualized, according to a report released last year by Gartner.

Moreover, in five years, virtualized systems likely will be more secure than their physical counterparts. But through 2012, most virtualized servers will be less secure than the physical servers they replace, Gartner predicted.

The analyst firm blamed the stumbling on organizations' failure to involve the IT security team in its deployment projects, in addition to immature tools to protect these new environments.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.