The National Institute of Standards and Technology (NIST) this week issued a guidance document for securely configuring and using virtualization technologies.
According to NIST. “full virtualization,” defined as when one or more operating systems (OS) and the applications they contain are run on top of virtual hardware, provides operational efficiency but it also has negative security implications.
“Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls,” the guidance document states.
The document, called “Guide to Security for Full Virtualization Technologies,” is intended for system administrators, security program managers, security engineers or anyone else involved in designing, deploying or maintaining full virtualization technologies.
To maximize protection and keep costs as low as possible, security should be considered before installing, configuring and deploying a full virtualization solution, NIST recommended.
“Most existing recommended security practices remain applicable in virtual environments,” the document states.
As a rule of thumb, organizations must ensure that each component of a full virtualization solution is secure, NIST recommended.
This includes securing the hypervisor, a central program that runs the virtual environment, as well as the host OS, guest OSs, applications and storage. Organizations should keep software updated with security patches and use secure configuration baselines, host-based firewalls and anti-virus software or other mechanisms to detect and stop attacks.
“Organizations should have the same security controls in place for virtualized operating systems as they have for the same operating systems running directly on the hardware,” the guidance document states. “The same is true for applications running on guest OSs.”
To ensure that the hypervisor is secured, organizations must disable unused virtual hardware and unneeded hypervisor services, such as clipboard or file sharing, NIST recommended. Also, organizations should monitor the hypervisor for signs of compromise and consider monitoring the security of each guest OS and the activity occurring among them.
Providing physical access controls for the hardware on which the hypervisor runs is also important, added the guidance document.
In addition, organizations should restrict and protect administrator access to the virtualization solution, the document states. Access to the virtualization management system should be restricted to authorized administrators only.
By 2012, more than 50 percent of enterprise data centers are expected to be virtualized, according to a report released last year by Gartner.
Moreover, in five years, virtualized systems likely will be more secure than their physical counterparts. But through 2012, most virtualized servers will be less secure than the physical servers they replace, Gartner predicted.
The analyst firm blamed the stumbling on organizations’ failure to involve the IT security team in its deployment projects, in addition to immature tools to protect these new environments.