It would be difficult to avoid the wave of virtualization technology sweeping the industry. The reasons for adopting virtualization are too compelling – with cost savings at the top of the list.
“In the virtualization market space, the server virtualization market is where the fastest adoption is taking place. This includes application servers, file servers, web servers, database and email servers,” says Harish Agastya, director of incubation products at Trend Micro.
Think of it this way: You have a data center with a few hundred servers, many of which are set up and tuned to do one job efficiently. It's likely that a few of those servers are lightly loaded – perhaps running at 50 percent capacity or less. With proper virtualization, one could combine several of those physical machines, transferring workloads to a single piece of hardware. Bingo! You have fewer machines, less cost, less maintenance, less power and environmental conditioning needs, along with less capital expense.
But users may have more security problems. With virtualization come new challenges. Why? Because the machine is the data. That is, in most virtualization schemes, the virtual machines and associated storage are abstractions – essentially files (at least – or especially – when “powered down”). The files come to life atop a layer of software, called a hypervisor, hosted in turn by an operating system or server software. With virtualization, you can move machines or storage “files” across hosts, back them up to tape, or copy them to disaster-recovery sites.
“The challenges that are met by traditional security methods aren't addressed the same – the solutions don't come at the problem from a virtual perspective, they come at it from the perspective of physical servers,” says Eric Chiu, president and CEO of HyTrust.
Often, in the rush to take advantage of the cost savings and other benefits of virtual computing, organizations do not pay as much attention to security as they should.
“As companies have virtualized, they may not realize until after the fact that some of the existing technologies they have in place to secure their server environments are now open to a set of security issues that they didn't have to face in the physical world,” says Trend Micro's Agastya.
Take, for example, dormant virtual machines (virtual machines that are “off”). In the physical world, a machine that is turned off is about as secure as it can be. But in the virtual world, when a machine is off, it is still accessible – that is, it is still accessible through the underlying host as a file. So any application that has access to the underlying host could access the “off” virtual machine, and be able to write to it, and thereby infect it.
In other words, because the machine is off and cannot run a scan agent, it cannot protect itself. It's a sitting duck for any malicious application that can access the underlying host. Coming versions of VMware and Microsoft products are likely to address these concerns, but in the meantime, organizations with older technologies in place must be wary.
“One of the things to bear in mind is that virtualization enables you to move machines around, so it's important to keep track of where they are – that is, they may not be where you think they are,” says Kevin Skapinetz, technology strategist and researcher at IBM Internet Security Systems. “Virtual machines may move to hosts that are less secure. You have to be sure to have secure boundaries between workloads.”
Physical and virtualized security
Still, whether running in physical or virtual environments, there are some things that are the same in terms of security.
“Many of the tools used to secure a virtual environment are common in non-virtual environments,” says Mike Schutz, director of product management, Windows Server division at Microsoft. “People still need to deploy and configure security technologies – and misconfiguration often presents key security vulnerabilities. Many of the issues remain the same in virtual or physical worlds.”
According to Schutz, there are three things to keep in mind when going to a virtualized environment:
Because a virtual environment includes a hypervisor that hosts virtual machines, it's important that layer is secure and trusted.
Second, users must be sure that virtual machines are isolated from one another, so that one infected virtual machine does not infect the other machines on the hypervisor.
And third, users should monitor traffic and ongoing operations in the hypervisor in real time.
Fortunately, virtualization gives users the option of having a cleaner monitoring environment, particularly the ability to watch activity closely on a per-machine basis.
“It de-conflicts a lot of the monitoring difficulties,” says Becky Bace, president and CEO of Infidel, a network security consulting practice in Scotts Valley, Calif. “You can monitor for a certain type of activity, and block everything else on a particular virtual machine without worrying about denying traffic elsewhere.”
An attack on a hypervisor, however, can have a big footprint – it would leverage the power of the hypervisor.
“One way to prevent infection is to allow the machines to only communicate through the [virtual] network where policies can be enforced,” says Schutz.
The linchpin in all of this is management – especially policy management. Virtual security would be ineffective if management is slighted. The technology that secures virtual environments should share management consoles with physical management of endpoints. In turn, security technologies for virtual environment should be integrated with consoles that manage virtual machines – that is, the management of the virtual machine environment should integrate with the management of virtual machine security.
“Virtualization takes strong planning and also takes a close look at the security that is already in place. An organization may not always have the capability to move physical security controls into a virtual world,” says IBM's Skapinetz. “So, the first step in moving to the technology is to identify any gaps and identify a set of guidelines and best practices for dealing with the issues.”
Microsoft's Shurtz adds, “It's important to have up-to-date patches – there should be strong policies in place on keeping things current.”
In fact, virtualization problems can be more operations and organizational than they are technical, according to Chris Hoff, chief security architect at Unisys. It depends, of course, on the size of the organization and how siloed they may be.
“As you design and build a heavily virtualized IT infrastructure, you better make sure that you architect and design the security in,” says Hoff.
What about compliance and meeting regulatory requirements?
“In a business environment, you don't want to incur legal liabilities – you don't want to have your own assets compromised in such a way that an attack can be turned around and used as an attack mechanism against someone else,” says Infidel's Bace.
You can be compliant, but it takes careful planning. When you have a lot of moving parts, it can make the certification process more complex.
“You can still guarantee levels of isolation. You can set up the same components of access control and encryption,” says Dan Powers, VP of brand, strategy, marketing and business development at IBM ISS. “Is it [certification] attainable? I would say yes.”
Tools for dealing with compliance can be leveraged for a virtual world.
“The majority of the kinds of things you need for adequate security exist today. You can lock down the data, provide logging and tracking needed for audit purposes, and keep service management records on how you bring up environments and take them down,” says Unisys' Hoff.
Virtualization is a technology whose time has come. Many of the primary problems in deploying a virtualized environment can be solved with proper planning. A carefully thought-out deployment may even yield fewer security problems. And at the very least, the decreased costs can far outweigh any increased cost of added security measures.